diff --git a/tests/smoke.fmf b/tests/smoke.fmf new file mode 100644 index 0000000..e690dff --- /dev/null +++ b/tests/smoke.fmf @@ -0,0 +1,7 @@ +require: + - openscap-report +summary: Basic smoke test +test: ./smoke.sh +tag: + - smoke +tier: 0 diff --git a/tests/smoke.sh b/tests/smoke.sh new file mode 100755 index 0000000..e623446 --- /dev/null +++ b/tests/smoke.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +# Test of the basic function + +set -e -o pipefail + +# Generate report +oscap-report < ./test_data/arf-report.xml > report.html + +# Search for some rule ID in the report +grep -q "xccdf_org\.ssgproject\.content_rule_enable_fips_mode" report.html + +rm report.html + +echo "Report generation success" diff --git a/tests/test_data/arf-report.xml b/tests/test_data/arf-report.xml new file mode 100644 index 0000000..753c33c --- /dev/null +++ b/tests/test_data/arf-report.xml @@ -0,0 +1,236449 @@ + + + + + collection1 + + + asset0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 56], python: 3.9.5 + 5.11 + 2021-05-26T00:00:00 + + + + + Enable Logging of All FTP Transactions + + Fedora + + To trace malicious activity facilitated by the FTP + service, it must be configured to ensure that all commands sent to + the FTP server are logged using the verbose vsftpd log format. + + + + + + + + + + + + + + + Create Warning Banners for All FTP Users + + Fedora + + This setting will cause the system greeting banner to be + used for FTP connections as well. + + + + + + + + + + Disable Kerberos by removing host keytab + + Fedora + + Check that there is no Kerberos keytab file present in /etc + + + + + + + + + Configure System to Forward All Mail For The Root Account + + Fedora + + Check if root has the correct mail alias. + + + + + + + + + Ensure Insecure File Locking is Not Allowed + + Fedora + + Allowing insecure file locking could allow for sensitive + data to be viewed or edited by an unauthorized user. + + + + + + + + + Disable chrony daemon from acting as server + + Fedora + + Configure the port setting in /etc/chrony.conf to disable + server operation. + + + + + + + + + + Disable network management of chrony daemon + + Fedora + + Configure the cmdport setting in /etc/chrony.conf to disable + chronyc management connections over network. + + + + + + + + + + Configure Time Service Maxpoll Interval + + Fedora + + Configure the maxpoll setting in /etc/ntp.conf or chrony.conf + to continuously poll the time source servers. + + + + + + + + + + + + + + + + Specify Additional Remote NTP Servers + + Fedora + + Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met) + + + + + + + + + + + + + + + + Specify a Remote NTP Server + + Fedora + + A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met) + + + + + + + + + + + + + + + + Ensure that chronyd is running under chrony user account + + Fedora + + Ensure 'OPTIONS' is configured with value '["]?.*-u chrony.*["]?' in /etc/sysconfig/chronyd + + + + + + + + + + + + A remote time server for Chrony is configured + + Fedora + + A remote NTP Server for time synchronization should be + specified (and dependencies are met) + + + + + + + + + Configure server restrictions for ntpd + + Fedora + + Certain restrictions are imposed on ntp servers configured to be used by ntpd + + + + + + + + + + Configure ntpd To Run As ntp User + + Fedora + + Ensure ntpd is configured to run correctly under the ntp user. + + + + + + + + + + Specify Additional Remote NTP Servers + + Fedora + + Multiple ntpd NTP Servers for time synchronization should be specified. + + + + + + + + + Specify a Remote NTP Server + + Fedora + + A remote ntpd NTP Server for time synchronization should be + specified (and dependencies are met) + + + + + + + + + Enable the NTP Daemon + + Fedora + + At least one of the chronyd or ntpd services should be enabled if possible. + + + + + + + + + + Remove Rsh Trust Files + + Fedora + + There should not be any .rhosts or hosts.equiv files on the system. + + + + + + + + + + + Ensure Default SNMP Password Is Not Used + + Fedora + + SNMP default communities must be removed. + + + + + + + + + Configure SNMP Service to Use Only SNMPv3 or Newer + + Fedora + + SNMP version 1 and 2c must not be enabled. + + + + + + + + + + Allow Only SSH Protocol 2 + + Fedora + + The OpenSSH daemon should be running protocol 2. + + + + + + + + + + + + + + + + + + + + Disable Compression Or Set Compression to delayed + + Fedora + + SSH should either have compression disabled or set to delayed. + + + + + + + + + + + + + + + + + + Disable SSH Support for Rhosts RSA Authentication + + Fedora + + SSH can allow authentication through the obsolete rsh command + through the use of the authenticating user's SSH keys. This should be disabled. + + + + + + + + + + + + + + + + + + + + Force frequent session key renegotiation + + Fedora + + Ensure 'RekeyLimit' is configured with the correct value in '/etc/ssh/sshd_config' + + + + + + + + + + + + + + + + + Set SSH Idle Timeout Interval + + Fedora + + The SSH idle timeout interval should be set to an + appropriate value. + + + + + + + + + + + + + + + + + + Set SSH Client Alive Count Max + + Fedora + + The SSH ClientAliveCountMax should be set to an appropriate + value (and dependencies are met) + + + + + + + + + + + + + + + + + Set SSH authentication attempt limit + + Fedora + + The SSH MaxAuthTries should be set to an + appropriate value. + + + + + + + + + + Set SSH MaxSessions limit + + Fedora + + The SSH number of max sessions should be set to an + appropriate value. + + + + + + + + + + + + + + + + + Enable Use of Privilege Separation + + Fedora + + Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config' + + + + + + + + + + + + + Enable Smartcards in SSSD + + Fedora + + SSSD should be configured to authenticate access to the system + using smart cards. + + + + + + + + + + + + + Configure SSSD's Memory Cache to Expire + + Fedora + + SSSD's memory cache should be configured to set to expire records after 1 day. + + + + + + + + + + + + + Configure SSSD to Expire Offline Credentials + + Fedora + + SSSD should be configured to expire offline credentials after 1 day. + + + + + + + + + + + + + Configure SSSD to run as user sssd + + Fedora + + SSSD processes should be configured to run as user sssd, not root. + + + + + + + + + Configure SSSD to Expire SSH Known Hosts + + Fedora + + SSSD should be configured to expire keys from known SSH hosts after 1 day. + + + + + + + + + + + + + Log USBGuard daemon audit events using Linux Audit + + Fedora + + Ensure 'AuditBackend' is configured with value 'LinuxAudit' in /etc/usbguard/usbguard-daemon.conf + + + + + + + + + + + + Authorize Human Interface Devices in USBGuard daemon + + Fedora + + Check that /etc/usbguard/rules.conf exists and that it contains at least one non white space character. + + + + + + + + + Authorize Human Interface Devices and USB hubs in USBGuard daemon + + Fedora + + Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists. + + + + + + + + + Authorize USB hubs in USBGuard daemon + + Fedora + + Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists. + + + + + + + + + Disable X Windows Startup By Setting Default Target + + Fedora + + Ensure that the default runlevel target is set to multi-user.target. + + + + + + + + + Modify the System Login Banner + + Fedora + + The system login banner text should be set correctly. + + + + + + + + + Modify the System Message of the Day Banner + + Fedora + + The system login banner text should be set correctly. + + + + + + + + + Enable GNOME3 Login Warning Banner + + Fedora + + Enable the GNOME3 Login warning banner. + + + + + + + + + + + + + + Set the GNOME3 Login Warning Banner Text + + Fedora + + Enable the GUI warning banner. + + + + + + + + + + + + + + Ensure PAM Displays Last Logon/Access Notification + + Fedora + + Configure the system to notify users of last login/access using pam_lastlog. + + + + + + + + + Set Up a Private Namespace in PAM Configuration + + Fedora + + Check presence of pam_namespace.so module in the /etc/pam.d/login file + + + + + + + + + Limit Password Reuse + + Fedora + + The passwords to remember should be set correctly. + + + + + + + + + + Set Deny For Failed Password Attempts + + Fedora + + The number of allowed failed logins should be set correctly. + + + + + + + + + + + + + + + + + + + + + + Configure the root Account for Failed Password Attempts + + Fedora + + The root account should be configured to deny access after the number of defined + failed attempts has been reached. + + + + + + + + + + + + Set Interval For Counting Failed Password Attempts + + Fedora + + The number of allowed failed logins should be set correctly. + + + + + + + + + + + + + + Set Lockout Time for Failed Password Attempts + + Fedora + + The unlock time after number of failed logins should be set correctly. + + + + + + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + + Fedora + + The password retry should meet minimum requirements + + + + + + + + + Set Password Hashing Algorithm in /etc/libuser.conf + + Fedora + + The password hashing algorithm should be set correctly in /etc/libuser.conf. + + + + + + + + + Set Password Hashing Algorithm in /etc/login.defs + + Fedora + + The password hashing algorithm should be set correctly in /etc/login.defs. + + + + + + + + + Set PAM's Password Hashing Algorithm + + Fedora + + The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. + + + + + + + + + Disable Ctrl-Alt-Del Reboot Activation + + Fedora + + By default, the system will reboot when the + Ctrl-Alt-Del key sequence is pressed. + + + + + + + + + Verify that Interactive Boot is Disabled + + Fedora + + The ability for users to perform interactive startups should + be disabled. + + + + + + + + + + + + + Require Authentication for Emergency Systemd Target + + Fedora + + The requirement for a password to boot into emergency mode + should be configured correctly. + + + + + + + + + + + + Require Authentication for Single User Mode + + Fedora + + The requirement for a password to boot into single-user mode + should be configured correctly. + + + + + + + + + + + + Support session locking with tmux + + Fedora + + Check if tmux is configured to exec at the end of bashrc. + + + + + + + + + Configure tmux to lock session after inactivity + + Fedora + + Check if tmux is configured to lock sessions after period of inactivity. + + + + + + + + + Configure the tmux Lock Command + + Fedora + + Check if the vlock command is configured to be used as a locking mechanism in tmux. + + + + + + + + + Prevent user from disabling the screen lock + + Fedora + + Check that tmux is not listed in /etc/shells + + + + + + + + + Configure opensc Smart Card Drivers + + Fedora + + Configure the organization's smart card driver so that only + the smart card in use by the organization will be recognized by the system. + + + + + + + + + Configure NSS DB To Use opensc + + Fedora + + The NSS DB should be set to use opensc library. + + + + + + + + + Force opensc To Use Defined Smart Card Driver + + Fedora + + Force opensc to use the organization's smart card driver so that only + the smart card in use by the organization will be recognized by the system. + + + + + + + + + Enable Smart Card Login + + Fedora + + Enable Smart Card logins + + + + + + + + + + + + + + + + + + + + Set Account Expiration Following Inactivity + + Fedora + + The accounts should be configured to expire automatically following password expiration. + + + + + + + + + Ensure All Accounts on the System Have Unique Names + + Fedora + + All accounts on the system should have unique names for proper accountability. + + + + + + + + + Set Password Maximum Age + + Fedora + + The maximum password age policy should meet minimum requirements. + + + + + + + + + Set Password Minimum Age + + Fedora + + The minimum password age policy should be set appropriately. + + + + + + + + + Set Password Minimum Length in login.defs + + Fedora + + The password minimum length should be set appropriately. + + + + + + + + + Set Password Warning Age + + Fedora + + The password expiration warning age should be set appropriately. + + + + + + + + + Verify All Account Password Hashes are Shadowed + + Fedora + + All password hashes should be shadowed. + + + + + + + + + Set number of Password Hashing Rounds - password-auth + + Fedora + + The number of rounds for password hashing should be set correctly. + + + + + + + + + + + + + Set number of Password Hashing Rounds - system-auth + + Fedora + + The number of rounds for password hashing should be set correctly. + + + + + + + + + + + + + All GIDs referenced in /etc/passwd must be defined in /etc/group + + Fedora + + All GIDs referenced in /etc/passwd must be defined in /etc/group. + + + + + + + + + Prevent Login to Accounts With Empty Password + + Fedora + + The file /etc/pam.d/system-auth should not contain the nullok option + + + + + + + + + Ensure there are no legacy + NIS entries in /etc/group + + Fedora + + No lines starting with + are in /etc/group + + + + + + + + + Ensure there are no legacy + NIS entries in /etc/passwd + + Fedora + + No lines starting with + are in /etc/passwd + + + + + + + + + Ensure there are no legacy + NIS entries in /etc/shadow + + Fedora + + No lines starting with + are in /etc/shadow + + + + + + + + + Verify No netrc Files Exist + + Fedora + + The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. + + + + + + + + + Verify Only Root Has UID 0 + + Fedora + + Only the root account should be assigned a user id of 0. + + + + + + + + + Direct root Logins Not Allowed + + Fedora + + Preventing direct root logins help ensure accountability for actions + taken on the system using the root account. + + + + + + + + + + Ensure that System Accounts Do Not Run a Shell Upon Login + + Fedora + + The root account is the only system account that should have + a login shell. + + + + + + + + + + + + + + + + + + + Restrict Serial Port Root Logins + + Fedora + + Preventing direct root login to serial port interfaces helps + ensure accountability for actions taken on the system using the root + account. + + + + + + + + + Restrict Virtual Console Root Logins + + Fedora + + Preventing direct root login to virtual console devices + helps ensure accountability for actions taken on the system using the + root account. + + + + + + + + + Enforce usage of pam_wheel for su authentication + + Fedora + + Only members of the wheel group should be able to authenticate through the su command. + + + + + + + + + Ensure Home Directories are Created for New Users + + Fedora + + CREATE_HOME should be enabled + + + + + + + + + Ensure the Logon Failure Delay is Set Correctly in login.defs + + Fedora + + The delay between failed authentication attempts should be + set for all users specified in /etc/login.defs + + + + + + + + + Limit the Number of Concurrent Login Sessions Allowed Per User + + Fedora + + The maximum number of concurrent login sessions per user should meet + minimum requirements. + + + + + + + + + + + + + Configure Polyinstantiation of /tmp Directories + + Fedora + + + + + + + + + + + + Configure Polyinstantiation of /var/tmp Directories + + Fedora + + + + + + + + + + + + Set Interactive Session Timeout + + Fedora + + Checks interactive shell timeout + + + + + + + + + + Ensure that User Home Directories are not Group-Writable or World-Readable + + Fedora + + File permissions should be set correctly for the home directories for all user accounts. + + + + + + + + + Ensure that Root's Path Does Not Include World or Group-Writable Directories + + Fedora + + Check each directory in root's path and make use it does + not grant write permission to group and other + + + + + + + + + Ensure that Root's Path Does Not Include Relative Paths or Null Directories + + Fedora + + The environment variable PATH should be set correctly for + the root user. + + + + + + + + + + + + + + Ensure the Default Umask is Set Correctly in login.defs + + Fedora + + The default umask for all users specified in /etc/login.defs + + + + + + + + + + Ensure the Default Umask is Set Correctly in /etc/profile + + Fedora + + The default umask for all users should be set correctly + + + + + + + + + + Enable Syscall Auditing + + Fedora + + Syscall auditing should not be disabled. + + + + + + + + + + + + + + + + Make the auditd Configuration Immutable + + Fedora + + Force a reboot to change audit rules is enabled + + + + + + + + + + + + + + + + Record Events that Modify the System's Mandatory Access Controls + + Fedora + + Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. + + + + + + + + + + + + + + + + Record Events that Modify the System's Network Environment + + Fedora + + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + + + + + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter Process and Session Initiation Information + + Fedora + + Audit rules should capture information about session initiation. + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects System Administrator Actions + + Fedora + + Audit actions taken by system administrators on the system. + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information + + Fedora + + Audit rules should detect modification to system files that hold information about users and groups. + + + + + + + + + + + + + + + + + + + + + + + + Record Access Events to Audit Log Directory + + Fedora + + Audit rules about the read events to /var/log/audit + + + + + + + + + + + + + + + + System Audit Logs Must Have Mode 0750 or Less Permissive + + Fedora + + Checks for correct permissions for /var/log/audit. + + + + + + + + + + + + + System Audit Logs Must Be Owned By Root + + Fedora + + Checks that all /var/log/audit files and directories are owned by the root user and group. + + + + + + + + + + + + + + + + + System Audit Logs Must Have Mode 0640 or Less Permissive + + Fedora + + Checks for correct permissions for all log files in /var/log/audit. + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User + + Fedora + + Audit files deletion events. + + + + + + + + + + + + + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Fedora + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module + + Fedora + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + + Fedora + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading - init_module + + Fedora + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events + + Fedora + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands + + Fedora + + Audit rules about the information on the use of privileged commands are enabled. + + + + + + + + + + + + + + + + + + Record attempts to alter time through adjtimex + + Fedora + + Record attempts to alter time through adjtimex. + + + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter Time Through clock_settime + + Fedora + + Record attempts to alter time through clock_settime. + + + + + + + + + + + + + + + + + + + + + + + + Record attempts to alter time through settimeofday + + Fedora + + Record attempts to alter time through settimeofday. + + + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter Time Through stime + + Fedora + + Record attempts to alter time through stime. Note that on + 64-bit architectures the stime system call is not defined in the audit + system calls lookup table. + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter the localtime File + + Fedora + + Record attempts to alter time through /etc/localtime. + + + + + + + + + + + + + + + + Configure audispd Plugin To Send Logs To Remote Server + + Fedora + + remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname + + + + + + + + + Encrypt Audit Records Sent With audispd Plugin + + Fedora + + transport setting in /etc/audit/audisp-remote.conf is set to 'KRB5' + + + + + + + + + Configure auditd to use audispd's syslog plugin + + Fedora + + active setting in /etc/audit/plugins.d/syslog.conf is set to 'yes' + + + + + + + + + Configure auditd Disk Error Action on Disk Error + + Fedora + + disk_error_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + + Configure auditd Disk Full Action when Disk Space Is Full + + Fedora + + disk_full_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + + Configure auditd mail_acct Action on Low Disk Space + + Fedora + + action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account + + + + + + + + + Configure auditd admin_space_left Action on Low Disk Space + + Fedora + + admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + + Configure auditd flush priority + + Fedora + + The setting for flush in /etc/audit/auditd.conf + + + + + + + + + Configure auditd Max Log File Size + + Fedora + + max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value + + + + + + + + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + Fedora + + max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + + Configure auditd Number of Logs Retained + + Fedora + + num_logs setting in /etc/audit/auditd.conf is set to at least a certain value + + + + + + + + + Configure auditd space_left Action on Low Disk Space + + Fedora + + space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + + Set the Boot Loader Admin Username to a Non-Default Value + + Fedora + + The grub2 boot loader superuser should have a username that is hard to guess. + + + + + + + + + + Set Boot Loader Password in grub2 + + Fedora + + The grub2 boot loader should have password protection enabled. + + + + + + + + + + + + + + + + Set the UEFI Boot Loader Admin Username to a Non-Default Value + + Fedora + + The grub2 boot loader superuser should have a username that is hard to guess. + + + + + + + + + + Set the UEFI Boot Loader Password + + Fedora + + The UEFI grub2 boot loader should have password protection enabled. + + + + + + + + + + + + + + + + Configure Logwatch HostLimit Line + + Fedora + + Test if HostLimit line in logwatch.conf is set appropriately. + + + + + + + + + Configure Logwatch SplitHosts Line + + Fedora + + Check if SplitHosts line in logwatch.conf is set appropriately. + + + + + + + + + Ensure cron Is Logging To Rsyslog + + Fedora + + Rsyslog should be configured to capture cron messages. + + + + + + + + + + Ensure Log Files Are Owned By Appropriate Group + + Fedora + + All syslog log files should be owned by the appropriate group. + + + + + + + + + Ensure Log Files Are Owned By Appropriate User + + Fedora + + All syslog log files should be owned by the appropriate user. + + + + + + + + + Ensure System Log Files Have Correct Permissions + + Fedora + + File permissions for all syslog log files should be set correctly. + + + + + + + + + Ensure Logrotate Runs Periodically + + Fedora + + + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily + + + + + + + + + + + + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server + + Fedora + + rsyslogd should reject remote messages + + + + + + + + + Ensure Logs Sent To Remote Host + + Fedora + + Syslog logs should be sent to a remote loghost + + + + + + + + + + Configure TLS for rsyslog remote logging + + Fedora + + Check that all needed TLS-related options are present + + + + + + + + + Configure CA certificate for rsyslog remote logging + + Fedora + + Check that the CA certificate path is set + + + + + + + + + Disable Zeroconf Networking + + Fedora + + Disable Zeroconf automatic route assignment in the + 169.254.0.0 subnet. + + + + + + + + + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Fedora + + polkit is properly configured to prevent non-privileged users from changing networking settings + + + + + + + + + Ensure System is Not Acting as a Network Sniffer + + Fedora + + Disable the network sniffer + + + + + + + + + Set Default firewalld Zone for Incoming Packets + + Fedora + + Change the default firewalld zone to drop. + + + + + + + + + Manually Assign IPv6 Router Address + + Fedora + + Define default gateways for IPv6 traffic + + + + + + + + + + Use Privacy Extensions for Address + + Fedora + + Enable privacy extensions for IPv6 + + + + + + + + + + Manually Assign Global IPv6 Address + + Fedora + + Manually configure addresses for IPv6 + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. + + + + + + + + + Disable Support for RPC IPv6 + + Fedora + + Disable ipv6 based rpc services + + + + + + + + + + Deactivate Wireless Network Interfaces + + Fedora + + All wireless interfaces should be disabled. + + + + + + + + + Ensure All World-Writable Directories Are Owned by root user + + Fedora + + All world writable directories should be owned by root. + + + + + + + + + Verify that All World-Writable Directories Have Sticky Bits Set + + Fedora + + The sticky bit should be set for all world-writable directories. + + + + + + + + + Ensure All World-Writable Directories Are Owned by a System Account + + Fedora + + All world writable directories should be owned by a system user. + + + + + + + + + Ensure All World-Writable Directories Are Group Owned by a System Account + + Fedora + + All world writable directories should be group owned by a system user. + + + + + + + + + Verify that local System.map file (if exists) is readable only by root + + Fedora + + + Checks that /boot/System.map-* are only readable by root. + + + + + + + + + + Ensure All SGID Executables Are Authorized + + Fedora + + Evaluates to true if all files with SGID set are owned by RPM packages. + + + + + + + + + Ensure All SUID Executables Are Authorized + + Fedora + + Evaluates to true if all files with SUID set are owned by RPM packages. + + + + + + + + + Ensure No World-Writable Files Exist + + Fedora + + The world-write permission should be disabled for all files. + + + + + + + + + Ensure All Files Are Owned by a Group + + Fedora + + All files should be owned by a group + + + + + + + + + Ensure All Files Are Owned by a User + + Fedora + + All files should be owned by a user + + + + + + + + + Verify that Shared Library Directories Have Restrictive Permissions + + Fedora + + + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are not group-writable or world-writable. + + + + + + + + + + Verify that System Executables Have Root Ownership + + Fedora + + + Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, + /usr/local/sbin, /usr/libexec, and objects therein, are owned by root. + + + + + + + + + + + Verify that Shared Library Files Have Root Ownership + + Fedora + + + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are owned by root. + + + + + + + + + + + Verify that System Executables Have Restrictive Permissions + + Fedora + + + Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, + /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable. + + + + + + + + + + Verify that Shared Library Files Have Restrictive Permissions + + Fedora + + + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are not group-writable or world-writable. + + + + + + + + + + + Disable Kernel Support for USB via Bootloader Configuration + + Fedora + + Ensure 'GRUB_CMDLINE_LINUX' is configured with value 'nousb' in /etc/default/grub + + + + + + + + + Add nodev Option to Non-Root Local Partitions + + Fedora + + The nodev mount option prevents files from being interpreted + as character or block devices. Legitimate character and block devices + should exist in the /dev directory on the root partition or within chroot + jails built for system services. All other locations should not allow + character and block devices. + + + + + + + + + Bind Mount /var/tmp To /tmp + + Fedora + + The /var/tmp directory should be bind mounted to /tmp in + order to consolidate temporary storage into one location protected by the + same techniques as /tmp. + + + + + + + + + + + + + + Disable core dump backtraces + + Fedora + + Ensure 'ProcessSizeMax' is configured with value '0 in section 'Coredump' in /etc/systemd/coredump.conf + + + + + + + + + Disable storing core dump + + Fedora + + Ensure 'Storage' is configured with value 'none in section 'Coredump' in /etc/systemd/coredump.conf + + + + + + + + + Disable Core Dumps for All Users + + Fedora + + Core dumps for all users should be disabled + + + + + + + + + + + + + Set Daemon Umask + + Fedora + + The daemon umask should be set as appropriate + + + + + + + + + + Enable ExecShield via sysctl + + Fedora + + The kernel runtime parameter 'kernel.exec-shield' should not be disabled and set to 1 on 32-bit systems. + + + + + + + + + + + + + + + + + Install PAE Kernel on Supported 32-bit x86 Systems + + Fedora + + The RPM package kernel-PAE should be installed on 32-bit + systems. + + + + + + + + + + + + + + + + + Ensure SELinux Not Disabled in /etc/default/grub + + Fedora + + + Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found. + + + + + + + + + + + + Ensure No Device Files are Unlabeled by SELinux + + Fedora + + All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'. + + + + + + + + + + Ensure No Daemons are Unconfined by SELinux + + Fedora + + All pids in /proc should be assigned an SELinux security context other than 'unconfined_service_t'. + + + + + + + + + Configure SELinux Policy + + Fedora + + The SELinux policy should be set appropriately. + + + + + + + + + Ensure SELinux State is Enforcing + + Fedora + + The SELinux state should be enforcing the local policy. + + + + + + + + + Prefer to use a 64-bit Operating System when supported + + Fedora + + Check if the system supports a 64-bit Operating System + + + + + + + + + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles + + Fedora + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles. + + + + + + + + + + + + + + + Configure GNOME3 DConf User Profile + + Fedora + + The DConf User profile should have the local DB configured. + + + + + + + + + + Disable the GNOME3 Login Restart and Shutdown Buttons + + Fedora + + Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen. + + + + + + + + + + + + + + Disable the GNOME3 Login User List + + Fedora + + Disable the GNOME3 GUI listing of all known users on the login screen. + + + + + + + + + + + + + + Enable the GNOME3 Login Smartcard Authentication + + Fedora + + Enable smartcard authentication in the GNOME3 Login GUI. + + + + + + + + + + + + + + Set the GNOME3 Login Number of Failures + + Fedora + + Set the GNOME3 number of login failure attempts. + + + + + + + + + + + + + + Disable GDM Automatic Login + + Fedora + + Disable the GNOME Display Manager (GDM) ability to allow users to + automatically login. + + + + + + + + + + Disable GDM Guest Login + + Fedora + + Disable the GNOME Display Manager (GDM) ability to allow guest users + to login. + + + + + + + + + + Disable XDMCP in GDM + + Fedora + + Ensure 'Enable' is configured with value 'false in section 'xdmcp' in /etc/gdm/custom.conf + + + + + + + + + + + + Disable GNOME3 automount + + Fedora + + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable automount within GNOME3. + + + + + + + + + + + + + + Disable GNOME3 automount-open + + Fedora + + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable automount-open within GNOME3. + + + + + + + + + + + + + + Disable GNOME3 autorun + + Fedora + + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable autorun within GNOME3. + + + + + + + + + + + + + + Disable All GNOME3 Thumbnailers + + Fedora + + The system's default desktop environment, GNOME3, uses a + number of different thumbnailer programs to generate thumbnails for any + new or modified content in an opened folder. Disable the execution of + these thumbnail applications within GNOME3. + + + + + + + + + + + + + + Disable WIFI Network Connection Creation in GNOME3 + + Fedora + + Disable the GNOME3 wireless network creation settings. + + + + + + + + + + + + + + Disable WIFI Network Notification in GNOME3 + + Fedora + + Disable the GNOME3 wireless network notification. + + + + + + + + + + + + + + Require Credential Prompting for Remote Access in GNOME3 + + Fedora + + Configure GNOME3 to require credential prompting for remote access. + + + + + + + + + + + + + + Require Encryption for Remote Access in GNOME3 + + Fedora + + Configure GNOME3 to require encryption for remote access connections. + + + + + + + + + + + + + + Enable GNOME3 Screensaver Idle Activation + + Fedora + + Idle activation of the screen saver should be enabled. + + + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation + + Fedora + + Idle activation of the screen saver should not be changed by users. + + + + + + + + + + + + + Set GNOME3 Screensaver Inactivity Timeout + + Fedora + + The allowed period of inactivity before the screensaver is activated. + + + + + + + + + + + + + + + Set GNOME3 Screensaver Lock Delay After Activation Period + + Fedora + + Idle activation of the screen lock should be enabled immediately or + after a delay. + + + + + + + + + + + + + + + Enable GNOME3 Screensaver Lock After Idle Period + + Fedora + + Idle activation of the screen lock should be enabled. + + + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period + + Fedora + + Idle activation of the screen lock should not be changed by users. + + + + + + + + + + + + + Implement Blank Screensaver + + Fedora + + The GNOME3 screensaver should be blank. + + + + + + + + + + + + + + Disable Full User Name on Splash Shield + + Fedora + + GNOME3 screen splash shield should not display full name of logged in user. + + + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Settings + + Fedora + + Ensure that users cannot change GNOME3 screensaver idle and lock settings. + + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Session Idle Settings + + Fedora + + Ensure that users cannot change GNOME3 session idle settings. + + + + + + + + + + + + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + + Fedora + + Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. + + + + + + + + + + + + + + Disable Geolocation in GNOME3 + + Fedora + + Disable GNOME3 Geolocation for the clock and system. + + + + + + + + + + + + + + + + Disable Power Settings in GNOME3 + + Fedora + + Disable GNOME3 power settings. + + + + + + + + + + + + + + The Installed Operating System Is FIPS 140-2 Certified + + Fedora + + + The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. + + + + + + + + + + + + + + + + + + The Installed Operating System Is Vendor Supported + + Fedora + + + The operating system installed on the system is supported by a vendor that provides security patches. + + + + + + + + + + + + + + + Configure BIND to use System Crypto Policy + + Fedora + + BIND should be configured to use the system-wide crypto policy setting. + + + + + + + + + + Configure System Cryptography Policy + + Fedora + + Ensure crypto policy is correctly configured in /etc/crypto-policies/config, and the policy is current. + + + + + + + + + + + + Configure Kerberos to use System Crypto Policy + + Fedora + + Kerberos should be configured to use the system-wide crypto policy setting. + + + + + + + + + + Configure Libreswan to use System Crypto Policy + + Fedora + + Libreswan should be configured to use the system-wide crypto policy setting. + + + + + + + + + + Configure OpenSSL library to use System Crypto Policy + + Fedora + + OpenSSL should be configured to use the system-wide crypto policy setting. + + + + + + + + + Configure SSH to use System Crypto Policy + + Fedora + + SSH should be configured to use the system-wide crypto policy setting. + + + + + + + + + Harden SSH client Crypto Policy + + Fedora + + Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf + + + + + + + + + + + + + + + Harden SSHD Crypto Policy + + Fedora + + Ensure 'CRYPTO_POLICY' is configured with value ''-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'' in /etc/crypto-policies/back-ends/opensshserver.config + + + + + + + + + + + + + + + + + + + Install Virus Scanning Software + + Fedora + + Antivirus software should be installed. + + + + + + + + + Install Intrusion Detection Software + + Fedora + + Intrusion detection software or SELinux should be installed and enabled. + + + + + + + + + + Install McAfee Virus Scanning Software + + Fedora + + McAfee Antivirus software should be installed. + + + + + + + + + + Install the McAfee Runtime Libraries and Linux Agent + + Fedora + + Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). + + + + + + + + + + Install the Asset Configuration Compliance Module (ACCM) + + Fedora + + Install the Asset Configuration Compliance Module (ACCM). + + + + + + + + + Install the Policy Auditor (PA) Module + + Fedora + + Install the Policy Auditor (PA) Module. + + + + + + + + + Enable Dracut FIPS Module + + Fedora + + fips module should be enabled in Dracut configuration + + + + + + + + + Enable FIPS Mode + + Fedora + + Check if FIPS mode is enabled on the system + + + + + + + + + + + + + + Ensure '/etc/system-fips' exists + + Fedora + + Check /etc/system-fips exists + + + + + + + + + Set kernel parameter 'crypto.fips_enabled' to 1 + + Fedora + + The kernel 'crypto.fips_enabled' parameter should be set to '1' in system runtime. + + + + + + + + + Build and Test AIDE Database + + Fedora + + The aide database must be initialized. + + + + + + + + + + + Configure Periodic Execution of AIDE + + Fedora + + By default, AIDE does not install itself for periodic + execution. Periodically running AIDE is necessary to reveal + unexpected changes in installed files. + + + + + + + + + + + + + + + + Verify File Hashes with RPM + + Fedora + + Verify the RPM digests of system binaries using the RPM database. + + + + + + + + + Verify and Correct File Permissions with RPM + + Fedora + + Verify the permissions of installed packages + by comparing the installed files with information about the + files taken from the package metadata stored in the RPM + database. + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + + Fedora + + Checks sudo usage without authentication + + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Fedora + + Checks sudo usage without password + + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo + + Fedora + + Checks sudo usage without password + + + + + + + + + + Only the VDSM User Can Use sudo NOPASSWD + + Fedora + + Checks sudo usage for the vdsm user without a password + + + + + + + + + + Explicit arguments in sudo specifications + + Fedora + + Check that sudoers doesn't contain commands without arguments specified + + + + + + + + + Don't define allowed commands in sudoers by means of exclusion + + Fedora + + Check that sudoers doesn't contain command negations + + + + + + + + + Don't target root user in the sudoers file + + Fedora + + Check that sudoers doesn't allow users to run commands as root + + + + + + + + + + Ensure invoking users password for privilege escalation when using sudo + + Fedora + + Ensure invoking user's password for privilege escalation when using sudo + + + + + + + + + + + Configure dnf-automatic to Install Available Updates Automatically + + Fedora + + Ensure 'apply_updates' is configured with value 'yes in section 'commands' in /etc/dnf/automatic.conf + + + + + + + + + + + + Configure dnf-automatic to Install Only Security Updates + + Fedora + + Ensure 'upgrade_type' is configured with value 'security in section 'commands' in /etc/dnf/automatic.conf + + + + + + + + + + + + Ensure Fedora GPG Key Installed + + Fedora + + The Fedora release key package is required to be installed. + + + + + + + + + + + + + + Ensure gpgcheck Enabled In Main dnf Configuration + + Fedora + + The gpgcheck option should be used to ensure that checking + of an RPM package's signature always occurs prior to its + installation. + + + + + + + + + Ensure gpgcheck Enabled for Local Packages + + Fedora + + The localpkg_gpgcheck option should be used to ensure that checking + of an RPM package's signature always occurs prior to its + installation. + + + + + + + + + Ensure gpgcheck Enabled for All dnf Package Repositories + + Fedora + + Ensure all yum or dnf repositories utilize signature checking. + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Digit Characters + + Fedora + + The password dcredit should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Different Characters + + Fedora + + The password difok should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + + Fedora + + Check presence of local_users_only in /etc/security/pwquality.conf + + + + + + + + + + Ensure PAM Enforces Password Requirements - Enforce for root User + + Fedora + + Check presence of enforce_for_root in /etc/security/pwquality.conf + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + + Fedora + + The password lcredit should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + + Fedora + + The password maxclassrepeat should meet minimum requirements + + + + + + + + + + Set Password Maximum Consecutive Repeating Characters + + Fedora + + The password maxrepeat should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Different Categories + + Fedora + + The password minclass should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Length + + Fedora + + The password minlen should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Special Characters + + Fedora + + The password ocredit should meet minimum requirements + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + + Fedora + + The password ucredit should meet minimum requirements + + + + + + + + + + Enforce pam_faillock for Local Accounts Only + + Fedora + + Check presence of local_users_only in /etc/security/faillock.conf + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chmod + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chown + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmod + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmodat + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchown + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchownat + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lchown + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - removexattr + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - setxattr + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount2 + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/group + + Fedora + + Audit rules about the write events to /etc/group + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + + Fedora + + Audit rules about the write events to /etc/group + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/group + + Fedora + + Audit rules about the write events to /etc/group + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow + + Fedora + + Audit rules about the write events to /etc/gshadow + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + + Fedora + + Audit rules about the write events to /etc/gshadow + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + + Fedora + + Audit rules about the write events to /etc/gshadow + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/passwd + + Fedora + + Audit rules about the write events to /etc/passwd + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + + Fedora + + Audit rules about the write events to /etc/passwd + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd + + Fedora + + Audit rules about the write events to /etc/passwd + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/shadow + + Fedora + + Audit rules about the write events to /etc/shadow + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + + Fedora + + Audit rules about the write events to /etc/shadow + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow + + Fedora + + Audit rules about the write events to /etc/shadow + + + + + + + + + + + + + + + + + + + + + + + + Record Any Attempts to Run chcon + + Fedora + + Audit rules about the information on the use of chcon is enabled. + + + + + + + + + + + + + + + + Record Any Attempts to Run restorecon + + Fedora + + Audit rules about the information on the use of restorecon is enabled. + + + + + + + + + + + + + + + + Record Any Attempts to Run semanage + + Fedora + + Audit rules about the information on the use of semanage is enabled. + + + + + + + + + + + + + + + + Record Any Attempts to Run setsebool + + Fedora + + Audit rules about the information on the use of setsebool is enabled. + + + + + + + + + + + + + + + + Record Any Attempts to Run seunshare + + Fedora + + Audit rules about the information on the use of seunshare is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rename + + Fedora + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - renameat + + Fedora + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rmdir + + Fedora + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlink + + Fedora + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlinkat + + Fedora + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - faillock + + Fedora + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - lastlog + + Fedora + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - tallylog + + Fedora + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Exporting to Media (successful) + + Fedora + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - at + + Fedora + + Audit rules about the information on the use of at is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chage + + Fedora + + Audit rules about the information on the use of chage is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh + + Fedora + + Audit rules about the information on the use of chsh is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Fedora + + Audit rules about the information on the use of crontab is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Fedora + + Audit rules about the information on the use of gpasswd is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - mount + + Fedora + + Audit rules about the information on the use of mount is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + + Fedora + + Audit rules about the information on the use of newgidmap is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + + Fedora + + Audit rules about the information on the use of newgrp is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + + Fedora + + Audit rules about the information on the use of newuidmap is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Fedora + + Audit rules about the information on the use of passwd is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + + Fedora + + Audit rules about the information on the use of pt_chown is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + + Fedora + + Audit rules about the information on the use of ssh_keysign is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - su + + Fedora + + Audit rules about the information on the use of su is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo + + Fedora + + Audit rules about the information on the use of sudo is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + + Fedora + + Audit rules about the information on the use of sudoedit is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - umount + + Fedora + + Audit rules about the information on the use of umount is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + + Fedora + + Audit rules about the information on the use of unix_chkpwd is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + + Fedora + + Audit rules about the information on the use of userhelper is enabled. + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + + Fedora + + Audit rules about the information on the use of usernetctl is enabled. + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - chmod + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - chown + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - creat + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fchmod + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fchmodat + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - fchown + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - fchownat + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fremovexattr + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fsetxattr + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - ftruncate + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - lchown + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - lremovexattr + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - lsetxattr + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - open + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - open_by_handle_at + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Fedora + + Audit rules about the information on the unsuccessful use of open_by_handle_at O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + Fedora + + Audit rules about the information on the unsuccessful use of open_by_handle_at O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly + + Fedora + + Audit rules about the information on the unsuccessful use of open_by_handle_at is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - open O_CREAT + + Fedora + + Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE + + Fedora + + Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + + Fedora + + Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - openat + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT + + Fedora + + Audit rules about the information on the unsuccessful use of openat O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + + Fedora + + Audit rules about the information on the unsuccessful use of openat O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + + Fedora + + Audit rules about the information on the unsuccessful use of openat is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - removexattr + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - rename + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - renameat + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - setxattr + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - truncate + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - unlink + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - unlinkat + + Fedora + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/group + + Fedora + + Audit user/group modification. + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/gshadow + + Fedora + + Audit user/group modification. + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/security/opasswd + + Fedora + + Audit user/group modification. + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/passwd + + Fedora + + Audit user/group modification. + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/shadow + + Fedora + + Audit user/group modification. + + + + + + + + + + + + + + + + Set number of records to cause an explicit flush to audit logs + + Fedora + + Ensure 'freq' is configured with value '50' in /etc/audit/auditd.conf + + + + + + + + + Include Local Events in Audit Logs + + Fedora + + Ensure 'local_events' is configured with value 'yes' in /etc/audit/auditd.conf + + + + + + + + + + Resolve information before writing to audit logs + + Fedora + + Ensure 'log_format' is configured with value 'ENRICHED' in /etc/audit/auditd.conf + + + + + + + + + Set hostname as computer node name in audit logs + + Fedora + + Ensure 'name_format' is configured with value 'hostname' in /etc/audit/auditd.conf + + + + + + + + + Write Audit Logs to the Disk + + Fedora + + Ensure 'write_logs' is configured with value 'yes' in /etc/audit/auditd.conf + + + + + + + + + + Ensure SELinux Not Disabled in the kernel arguments + + Fedora + + Ensure selinux=0 argument is not present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline. + + + + + + + + + + + + + + + + + + + + Disable User Administration in GNOME3 + + Fedora + + Ensure 'user-administration-disabled' is configured with value 'true in section 'org/gnome/desktop/lockdown' in /etc/dconf/db/local.d/ + + + + + + + + + + Enable the GNOME3 Screen Locking On Smartcard Removal + + Fedora + + Ensure 'removal-action' is configured with value 'lock-screen in section 'org/gnome/settings-daemon/peripherals/smartcard' in /etc/dconf/db/local.d/ + + + + + + + + + + Disable Host-Based Authentication + + Fedora + + Ensure 'HostbasedAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Verify Group Who Owns Backup group File + + Fedora + + This test makes sure that /etc/group- is group owned by 0. + + + + + + + + + Verify Group Who Owns Backup gshadow File + + Fedora + + This test makes sure that /etc/gshadow- is group owned by 0. + + + + + + + + + Verify Group Who Owns Backup passwd File + + Fedora + + This test makes sure that /etc/passwd- is group owned by 0. + + + + + + + + + Verify User Who Owns Backup shadow File + + Fedora + + This test makes sure that /etc/shadow- is group owned by 0. + + + + + + + + + Verify the UEFI Boot Loader grub.cfg Group Ownership + + Fedora + + This test makes sure that /boot/efi/EFI/fedora/grub.cfg is group owned by 0. + + + + + + + + + Verify Group Who Owns group File + + Fedora + + This test makes sure that /etc/group is group owned by 0. + + + + + + + + + Verify Group Who Owns gshadow File + + Fedora + + This test makes sure that /etc/gshadow is group owned by 0. + + + + + + + + + Verify Group Ownership of System Login Banner + + Fedora + + This test makes sure that /etc/issue is group owned by 0. + + + + + + + + + Verify Group Ownership of Message of the Day Banner + + Fedora + + This test makes sure that /etc/motd is group owned by 0. + + + + + + + + + Verify Group Who Owns passwd File + + Fedora + + This test makes sure that /etc/passwd is group owned by 0. + + + + + + + + + Verify Group Who Owns shadow File + + Fedora + + This test makes sure that /etc/shadow is group owned by 0. + + + + + + + + + Verify /boot/grub2/grub.cfg Group Ownership + + Fedora + + This test makes sure that /boot/grub2/grub.cfg is group owned by 0. + + + + + + + + + Verify Group Who Owns /var/log Directory + + Fedora + + This test makes sure that /var/log/ is group owned by 0. + + + + + + + + + Verify Group Who Owns /var/log/messages File + + Fedora + + This test makes sure that /var/log/messages is group owned by 0. + + + + + + + + + Verify User Who Owns Backup group File + + Fedora + + This test makes sure that /etc/group- is owned by 0. + + + + + + + + + Verify User Who Owns Backup gshadow File + + Fedora + + This test makes sure that /etc/gshadow- is owned by 0. + + + + + + + + + Verify User Who Owns Backup passwd File + + Fedora + + This test makes sure that /etc/passwd- is owned by 0. + + + + + + + + + Verify Group Who Owns Backup shadow File + + Fedora + + This test makes sure that /etc/shadow- is owned by 0. + + + + + + + + + Verify the UEFI Boot Loader grub.cfg User Ownership + + Fedora + + This test makes sure that /boot/efi/EFI/fedora/grub.cfg is owned by 0. + + + + + + + + + Verify User Who Owns group File + + Fedora + + This test makes sure that /etc/group is owned by 0. + + + + + + + + + Verify User Who Owns gshadow File + + Fedora + + This test makes sure that /etc/gshadow is owned by 0. + + + + + + + + + Verify ownership of System Login Banner + + Fedora + + This test makes sure that /etc/issue is owned by 0. + + + + + + + + + Verify ownership of Message of the Day Banner + + Fedora + + This test makes sure that /etc/motd is owned by 0. + + + + + + + + + Verify User Who Owns passwd File + + Fedora + + This test makes sure that /etc/passwd is owned by 0. + + + + + + + + + Verify User Who Owns shadow File + + Fedora + + This test makes sure that /etc/shadow is owned by 0. + + + + + + + + + Verify /boot/grub2/grub.cfg User Ownership + + Fedora + + This test makes sure that /boot/grub2/grub.cfg is owned by 0. + + + + + + + + + Verify User Who Owns /var/log Directory + + Fedora + + This test makes sure that /var/log/ is owned by 0. + + + + + + + + + Verify User Who Owns /var/log/messages File + + Fedora + + This test makes sure that /var/log/messages is owned by 0. + + + + + + + + + Verify Permissions on Backup group File + + Fedora + + This test makes sure that /etc/group- has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on Backup gshadow File + + Fedora + + This test makes sure that /etc/gshadow- has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on Backup passwd File + + Fedora + + This test makes sure that /etc/passwd- has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on Backup shadow File + + Fedora + + This test makes sure that /etc/shadow- has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify the UEFI Boot Loader grub.cfg Permissions + + Fedora + + This test makes sure that /boot/efi/EFI/fedora/grub.cfg has mode 0700. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on group File + + Fedora + + This test makes sure that /etc/group has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on gshadow File + + Fedora + + This test makes sure that /etc/gshadow has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify permissions on System Login Banner + + Fedora + + This test makes sure that /etc/issue has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify permissions on Message of the Day Banner + + Fedora + + This test makes sure that /etc/motd has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on passwd File + + Fedora + + This test makes sure that /etc/passwd has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on shadow File + + Fedora + + This test makes sure that /etc/shadow has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify /boot/grub2/grub.cfg Permissions + + Fedora + + This test makes sure that /boot/grub2/grub.cfg has mode 0600. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on SSH Server Private *_key Key Files + + Fedora + + This test makes sure that /etc/ssh/ has mode 0640. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on SSH Server Public *.pub Key Files + + Fedora + + This test makes sure that /etc/ssh/ has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on /var/log Directory + + Fedora + + This test makes sure that /var/log/ has mode 0755. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Verify Permissions on /var/log/messages File + + Fedora + + This test makes sure that /var/log/messages has mode 0640. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + + Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Fedora + + Ensure audit=1 is configured in the kernel line in /etc/default/grub. + + + + + + + + + Extend Audit Backlog Limit for the Audit Daemon + + Fedora + + Ensure audit_backlog_limit=8192 is configured in the kernel line in /etc/default/grub. + + + + + + + + + IOMMU configuration directive + + Fedora + + Ensure iommu=force is configured in the kernel line in /etc/default/grub. + + + + + + + + + Ensure IPv6 is disabled through kernel boot parameter + + Fedora + + Ensure ipv6.disable=1 is configured in the kernel line in /etc/default/grub. + + + + + + + + + Enable page allocator poisoning + + Fedora + + Ensure page_poison=1 is configured in the kernel line in /etc/default/grub. + + + + + + + + + Enable Kernel Page-Table Isolation (KPTI) + + Fedora + + Ensure pti=on is configured in the kernel line in /etc/default/grub. + + + + + + + + + Enable SLUB/SLAB allocator poisoning + + Fedora + + Ensure slub_debug=P is configured in the kernel line in /etc/default/grub. + + + + + + + + + Disable vsyscalls + + Fedora + + Ensure vsyscall=none is configured in the kernel line in /etc/default/grub. + + + + + + + + + Install Smart Card Packages For Multifactor Authentication + + Fedora + + The RPM package openssl-pkcs11 should be installed. + + + + + + + + + Disable ATM Support + + Fedora + + The kernel module atm should be disabled. + + + + + + + + + + + + + + + Disable Bluetooth Kernel Module + + Fedora + + The kernel module bluetooth should be disabled. + + + + + + + + + + + + + + + Disable CAN Support + + Fedora + + The kernel module can should be disabled. + + + + + + + + + + + + + + + Disable Mounting of cramfs + + Fedora + + The kernel module cramfs should be disabled. + + + + + + + + + + + + + + + Disable DCCP Support + + Fedora + + The kernel module dccp should be disabled. + + + + + + + + + + + + + + + Disable IEEE 1394 (FireWire) Support + + Fedora + + The kernel module firewire-core should be disabled. + + + + + + + + + + + + + + + Disable Mounting of freevxfs + + Fedora + + The kernel module freevxfs should be disabled. + + + + + + + + + + + + + + + Disable Mounting of hfs + + Fedora + + The kernel module hfs should be disabled. + + + + + + + + + + + + + + + Disable Mounting of hfsplus + + Fedora + + The kernel module hfsplus should be disabled. + + + + + + + + + + + + + + + Disable Mounting of jffs2 + + Fedora + + The kernel module jffs2 should be disabled. + + + + + + + + + + + + + + + Disable RDS Support + + Fedora + + The kernel module rds should be disabled. + + + + + + + + + + + + + + + Disable Mounting of squashfs + + Fedora + + The kernel module squashfs should be disabled. + + + + + + + + + + + + + + + Disable TIPC Support + + Fedora + + The kernel module tipc should be disabled. + + + + + + + + + + + + + + + Disable Mounting of udf + + Fedora + + The kernel module udf should be disabled. + + + + + + + + + + + + + + + Disable Modprobe Loading of USB Storage Driver + + Fedora + + The kernel module usb-storage should be disabled. + + + + + + + + + + + + + + + Disable Mounting of vFAT filesystems + + Fedora + + The kernel module vfat should be disabled. + + + + + + + + + + + + + + + Add noauto Option to /boot + + Fedora + + /boot should be mounted with mount option noauto. + + + + + + + + + Add nodev Option to /boot + + Fedora + + /boot should be mounted with mount option nodev. + + + + + + + + + Add noexec Option to /boot + + Fedora + + /boot should be mounted with mount option noexec. + + + + + + + + + Add nosuid Option to /boot + + Fedora + + /boot should be mounted with mount option nosuid. + + + + + + + + + Add nodev Option to /dev/shm + + Fedora + + /dev/shm should be mounted with mount option nodev. + + + + + + + + + Add noexec Option to /dev/shm + + Fedora + + /dev/shm should be mounted with mount option noexec. + + + + + + + + + Add nosuid Option to /dev/shm + + Fedora + + /dev/shm should be mounted with mount option nosuid. + + + + + + + + + Add noexec Option to /home + + Fedora + + /home should be mounted with mount option noexec. + + + + + + + + + Add nodev Option to Removable Media Partitions + + Fedora + + The nodev option should be enabled for all removable devices mounts in /etc/fstab. + + + + + + + + + + + + + + + + + Add noexec Option to Removable Media Partitions + + Fedora + + The noexec option should be enabled for all removable devices mounts in /etc/fstab. + + + + + + + + + + + + + + + + + Add nosuid Option to Removable Media Partitions + + Fedora + + The nosuid option should be enabled for all removable devices mounts in /etc/fstab. + + + + + + + + + + + + + + + + + Add nosuid Option to /opt + + Fedora + + /opt should be mounted with mount option nosuid. + + + + + + + + + Add nosuid Option to /srv + + Fedora + + /srv should be mounted with mount option nosuid. + + + + + + + + + Add nodev Option to /tmp + + Fedora + + /tmp should be mounted with mount option nodev. + + + + + + + + + Add noexec Option to /tmp + + Fedora + + /tmp should be mounted with mount option noexec. + + + + + + + + + Add nosuid Option to /tmp + + Fedora + + /tmp should be mounted with mount option nosuid. + + + + + + + + + Add nodev Option to /var/log/audit + + Fedora + + /var/log/audit should be mounted with mount option nodev. + + + + + + + + + Add noexec Option to /var/log/audit + + Fedora + + /var/log/audit should be mounted with mount option noexec. + + + + + + + + + Add nosuid Option to /var/log/audit + + Fedora + + /var/log/audit should be mounted with mount option nosuid. + + + + + + + + + Add nodev Option to /var/log + + Fedora + + /var/log should be mounted with mount option nodev. + + + + + + + + + Add noexec Option to /var/log + + Fedora + + /var/log should be mounted with mount option noexec. + + + + + + + + + Add nosuid Option to /var/log + + Fedora + + /var/log should be mounted with mount option nosuid. + + + + + + + + + Add nodev Option to /var + + Fedora + + /var should be mounted with mount option nodev. + + + + + + + + + Add noexec Option to /var + + Fedora + + /var should be mounted with mount option noexec. + + + + + + + + + Add nosuid Option to /var + + Fedora + + /var should be mounted with mount option nosuid. + + + + + + + + + package_GConf2_installed + + Fedora + + The RPM package GConf2 should be installed. + + + + + + + + + Install the Host Intrusion Prevention System (HIPS) Module + + Fedora + + The RPM package MFEhiplsm should be installed. + + + + + + + + + Uninstall abrt-addon-ccpp Package + + Fedora + + The RPM package abrt-addon-ccpp should be removed. + + + + + + + + + Uninstall abrt-addon-kerneloops Package + + Fedora + + The RPM package abrt-addon-kerneloops should be removed. + + + + + + + + + Uninstall abrt-addon-python Package + + Fedora + + The RPM package abrt-addon-python should be removed. + + + + + + + + + Uninstall abrt-cli Package + + Fedora + + The RPM package abrt-cli should be removed. + + + + + + + + + Uninstall abrt-plugin-logger Package + + Fedora + + The RPM package abrt-plugin-logger should be removed. + + + + + + + + + Uninstall abrt-plugin-rhtsupport Package + + Fedora + + The RPM package abrt-plugin-rhtsupport should be removed. + + + + + + + + + Uninstall abrt-plugin-sosreport Package + + Fedora + + The RPM package abrt-plugin-sosreport should be removed. + + + + + + + + + Uninstall Automatic Bug Reporting Tool (abrt) + + Fedora + + The RPM package abrt should be removed. + + + + + + + + + Install AIDE + + Fedora + + The RPM package aide should be installed. + + + + + + + + + Install audispd-plugins Package + + Fedora + + The RPM package audispd-plugins should be installed. + + + + + + + + + Ensure the default plugins for the audit dispatcher are Installed + + Fedora + + The RPM package audit-audispd-plugins should be installed. + + + + + + + + + Ensure the audit Subsystem is Installed + + Fedora + + The RPM package audit should be installed. + + + + + + + + + package_avahi_installed + + Fedora + + The RPM package avahi should be installed. + + + + + + + + + Uninstall bind Package + + Fedora + + The RPM package bind should be removed. + + + + + + + + + Install binutils Package + + Fedora + + The RPM package binutils should be installed. + + + + + + + + + The Chrony package is installed + + Fedora + + The RPM package chrony should be installed. + + + + + + + + + Install the cron service + + Fedora + + The RPM package cron should be installed. + + + + + + + + + Install cryptsetup-luks Package + + Fedora + + The RPM package cryptsetup-luks should be installed. + + + + + + + + + package_dconf_installed + + Fedora + + The RPM package dconf should be installed. + + + + + + + + + Install dnf-automatic Package + + Fedora + + The RPM package dnf-automatic should be installed. + + + + + + + + + package_esc_installed + + Fedora + + The RPM package esc should be installed. + + + + + + + + + Install fapolicyd Package + + Fedora + + The RPM package fapolicyd should be installed. + + + + + + + + + package_gdm_installed + + Fedora + + The RPM package gdm should be installed. + + + + + + + + + Remove the GDM Package Group + + Fedora + + The RPM package gdm should be removed. + + + + + + + + + Uninstall geolite2-city Package + + Fedora + + The RPM package geolite2-city should be removed. + + + + + + + + + Uninstall geolite2-country Package + + Fedora + + The RPM package geolite2-country should be removed. + + + + + + + + + Ensure gnutls-utils is installed + + Fedora + + The RPM package gnutls-utils should be installed. + + + + + + + + + Uninstall gssproxy Package + + Fedora + + The RPM package gssproxy should be removed. + + + + + + + + + Uninstall the inet-based telnet server + + Fedora + + The RPM package inetutils-telnetd should be removed. + + + + + + + + + Uninstall iprutils Package + + Fedora + + The RPM package iprutils should be removed. + + + + + + + + + Install iptables Package + + Fedora + + The RPM package iptables should be installed. + + + + + + + + + Uninstall krb5-workstation Package + + Fedora + + The RPM package krb5-workstation should be removed. + + + + + + + + + Install libcap-ng-utils Package + + Fedora + + The RPM package libcap-ng-utils should be installed. + + + + + + + + + Install libreswan Package + + Fedora + + The RPM package libreswan should be installed. + + + + + + + + + Install libselinux Package + + Fedora + + The RPM package libselinux should be installed. + + + + + + + + + Uninstall mcstrans Package + + Fedora + + The RPM package mcstrans should be removed. + + + + + + + + + Uninstall net-snmp Package + + Fedora + + The RPM package net-snmp should be removed. + + + + + + + + + Uninstall nfs-utils Package + + Fedora + + The RPM package nfs-utils should be removed. + + + + + + + + + Uninstall the nis package + + Fedora + + The RPM package nis should be removed. + + + + + + + + + Ensure nss-tools is installed + + Fedora + + The RPM package nss-tools should be installed. + + + + + + + + + Install the ntp service + + Fedora + + The RPM package ntp should be installed. + + + + + + + + + Uninstall the ntpdate package + + Fedora + + The RPM package ntpdate should be removed. + + + + + + + + + Ensure LDAP client is not installed + + Fedora + + The RPM package openldap-clients should be removed. + + + + + + + + + Install the opensc Package For Multifactor Authentication + + Fedora + + The RPM package opensc should be installed. + + + + + + + + + Install openscap-scanner Package + + Fedora + + The RPM package openscap-scanner should be installed. + + + + + + + + + Install the OpenSSH Server Package + + Fedora + + The RPM package openssh-server should be installed. + + + + + + + + + Remove the OpenSSH Server Package + + Fedora + + The RPM package openssh-server should be removed. + + + + + + + + + package_pam_ldap_removed + + Fedora + + The RPM package pam_ldap should be removed. + + + + + + + + + Install the pcsc-lite package + + Fedora + + The RPM package pcsc-lite should be installed. + + + + + + + + + Install policycoreutils Package + + Fedora + + The RPM package policycoreutils should be installed. + + + + + + + + + package_prelink_removed + + Fedora + + The RPM package prelink should be removed. + + + + + + + + + Install rear Package + + Fedora + + The RPM package rear should be installed. + + + + + + + + + Install rng-tools Package + + Fedora + + The RPM package rng-tools should be installed. + + + + + + + + + Ensure rsyslog-gnutls is installed + + Fedora + + The RPM package rsyslog-gnutls should be installed. + + + + + + + + + Ensure rsyslog is Installed + + Fedora + + The RPM package rsyslog should be installed. + + + + + + + + + package_samba-common_removed + + Fedora + + The RPM package samba-common should be removed. + + + + + + + + + Install scap-security-guide Package + + Fedora + + The RPM package scap-security-guide should be installed. + + + + + + + + + Install the screen Package + + Fedora + + The RPM package screen should be installed. + + + + + + + + + Uninstall Sendmail Package + + Fedora + + The RPM package sendmail should be removed. + + + + + + + + + Uninstall setroubleshoot-plugins Package + + Fedora + + The RPM package setroubleshoot-plugins should be removed. + + + + + + + + + Uninstall setroubleshoot-server Package + + Fedora + + The RPM package setroubleshoot-server should be removed. + + + + + + + + + Uninstall setroubleshoot Package + + Fedora + + The RPM package setroubleshoot should be removed. + + + + + + + + + Install sssd-ipa Package + + Fedora + + The RPM package sssd-ipa should be installed. + + + + + + + + + Install sudo Package + + Fedora + + The RPM package sudo should be installed. + + + + + + + + + Ensure syslog-ng is Installed + + Fedora + + The RPM package syslogng should be installed. + + + + + + + + + Install tar Package + + Fedora + + The RPM package tar should be installed. + + + + + + + + + Uninstall the ssl compliant telnet server + + Fedora + + The RPM package telnetd-ssl should be removed. + + + + + + + + + Uninstall the telnet server + + Fedora + + The RPM package telnetd should be removed. + + + + + + + + + Install the tmux Package + + Fedora + + The RPM package tmux should be installed. + + + + + + + + + Uninstall tuned Package + + Fedora + + The RPM package tuned should be removed. + + + + + + + + + Install usbguard Package + + Fedora + + The RPM package usbguard should be installed. + + + + + + + + + Install vim Package + + Fedora + + The RPM package vim should be installed. + + + + + + + + + Install vsftpd Package + + Fedora + + The RPM package vsftpd should be installed. + + + + + + + + + Uninstall vsftpd Package + + Fedora + + The RPM package vsftpd should be removed. + + + + + + + + + Remove the X Windows Package Group + + Fedora + + The RPM package xorg-x11-server-common should be removed. + + + + + + + + + Ensure /boot Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /home Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /opt Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /srv Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /tmp Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /usr Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /var Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /var/log Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Ensure /var/log/audit Located On Separate Partition + + Fedora + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + + Disable At Service (atd) + + Fedora + + The atd service should be disabled if possible. + + + + + + + + + + + + + + Enable auditd Service + + Fedora + + The auditd service should be enabled if possible. + + + + + + + + + + + + + + + + Disable the Automounter + + Fedora + + The autofs service should be disabled if possible. + + + + + + + + + + + + + + Disable Bluetooth Service + + Fedora + + The bluetooth service should be disabled if possible. + + + + + + + + + + + + + + The Chronyd service is enabled + + Fedora + + The chronyd service should be enabled if possible. + + + + + + + + + + + + + + + + Enable cron Service + + Fedora + + The cron service should be enabled if possible. + + + + + + + + + + + + + + + + Enable cron Service + + Fedora + + The crond service should be enabled if possible. + + + + + + + + + + + + + + + + Disable debug-shell SystemD Service + + Fedora + + The debug-shell service should be disabled if possible. + + + + + + + + + + + + + + Verify firewalld Enabled + + Fedora + + The firewalld service should be enabled if possible. + + + + + + + + + + + + + + + + Verify ip6tables Enabled if Using IPv6 + + Fedora + + The ip6tables service should be enabled if possible. + + + + + + + + + + + + + + + + Verify iptables Enabled + + Fedora + + The iptables service should be enabled if possible. + + + + + + + + + + + + + + + + Disable Network File Systems (netfs) + + Fedora + + The netfs service should be disabled if possible. + + + + + + + + + + + + + + Disable Network File System (nfs) + + Fedora + + The nfs-server service should be disabled if possible. + + + + + + + + + + + + + + Disable Network File System Lock Service (nfslock) + + Fedora + + The nfslock service should be disabled if possible. + + + + + + + + + + + + + + Enable the NTP Daemon + + Fedora + + The ntp service should be enabled if possible. + + + + + + + + + + + + + + + + Enable the NTP Daemon + + Fedora + + The ntpd service should be enabled if possible. + + + + + + + + + + + + + + + + Enable the pcscd Service + + Fedora + + The pcscd service should be enabled if possible. + + + + + + + + + + + + + + + + Enable the Hardware RNG Entropy Gatherer Service + + Fedora + + The rngd service should be enabled if possible. + + + + + + + + + + + + + + + + Disable Secure RPC Client Service (rpcgssd) + + Fedora + + The rpcgssd service should be disabled if possible. + + + + + + + + + + + + + + Disable RPC ID Mapping Service (rpcidmapd) + + Fedora + + The rpcidmapd service should be disabled if possible. + + + + + + + + + + + + + + Disable Secure RPC Server Service (rpcsvcgssd) + + Fedora + + The rpcsvcgssd service should be disabled if possible. + + + + + + + + + + + + + + Ensure rsyncd service is diabled + + Fedora + + The rsyncd service should be disabled if possible. + + + + + + + + + + + + + + Enable rsyslog Service + + Fedora + + The rsyslog service should be enabled if possible. + + + + + + + + + + + + + + + + Disable SSH Server If Possible (Unusual) + + Fedora + + The sshd service should be disabled if possible. + + + + + + + + + + + + + + service_sssd_disabled + + Fedora + + The sssd service should be disabled if possible. + + + + + + + + + + + + + + service_syslog_disabled + + Fedora + + The syslog service should be disabled if possible. + + + + + + + + + + + + + + Enable syslog-ng Service + + Fedora + + The syslogng service should be enabled if possible. + + + + + + + + + + + + + + + + Disable acquiring, saving, and processing core dumps + + Fedora + + The systemd-coredump service should be disabled if possible. + + + + + + + + + + + + + + Enable the USBGuard Service + + Fedora + + The usbguard service should be enabled if possible. + + + + + + + + + + + + + + + + Disable SSH Access via Empty Passwords + + Fedora + + Ensure 'PermitEmptyPasswords' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Disable GSSAPI Authentication + + Fedora + + Ensure 'GSSAPIAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Disable Kerberos Authentication + + Fedora + + Ensure 'KerberosAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Disable PubkeyAuthentication Authentication + + Fedora + + Ensure 'PubkeyAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable SSH Support for .rhosts Files + + Fedora + + Ensure 'IgnoreRhosts' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Disable SSH Root Login + + Fedora + + Ensure 'PermitRootLogin' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable SSH root Login with a Password (Insecure) + + Fedora + + Ensure 'PermitRootLogin' is configured with value 'prohibit-password' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Disable SSH TCP Forwarding + + Fedora + + Ensure 'AllowTcpForwarding' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable SSH Support for User Known Hosts + + Fedora + + Ensure 'IgnoreUserKnownHosts' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable X11 Forwarding + + Fedora + + Ensure 'X11Forwarding' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Do Not Allow SSH Environment Options + + Fedora + + Ensure 'PermitUserEnvironment' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Enable GSSAPI Authentication + + Fedora + + Ensure 'GSSAPIAuthentication' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Enable Use of Strict Mode Checking + + Fedora + + Ensure 'StrictModes' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Enable SSH Warning Banner + + Fedora + + Ensure 'Banner' is configured with value '/etc/issue' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Enable Encrypted X11 Forwarding + + Fedora + + Ensure 'X11Forwarding' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Enable SSH Print Last Log + + Fedora + + Ensure 'PrintLastLog' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Set SSH Client Alive Count Max to zero + + Fedora + + Ensure 'ClientAliveCountMax' is configured with value '0' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Set LogLevel to INFO + + Fedora + + Ensure 'LogLevel' is configured with value 'INFO' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Set SSH Daemon LogLevel to VERBOSE + + Fedora + + Ensure 'LogLevel' is configured with value 'VERBOSE' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Prevent remote hosts from connecting to the proxy display + + Fedora + + Ensure 'X11UseLocalhost' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC + + Fedora + + Checks sudoers Defaults {{ OPTION }} configuration + + + + + + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty + + Fedora + + Checks sudoers Defaults {{ OPTION }} configuration + + + + + + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty + + Fedora + + Checks sudoers Defaults {{ OPTION }} configuration + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + Fedora + + The 'fs.protected_hardlinks' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + Fedora + + The kernel 'fs.protected_hardlinks' parameter should be set to '1' + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + Fedora + + The kernel 'fs.protected_hardlinks' parameter should be set to '1' + + + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + Fedora + + The 'fs.protected_symlinks' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + Fedora + + The kernel 'fs.protected_symlinks' parameter should be set to '1' + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + Fedora + + The kernel 'fs.protected_symlinks' parameter should be set to '1' + + + + + + + + + + + + Disable Core Dumps for SUID programs + + Fedora + + The 'fs.suid_dumpable' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Core Dumps for SUID programs + + Fedora + + The kernel 'fs.suid_dumpable' parameter should be set to '0' + + + + + + + + + Disable Core Dumps for SUID programs + + Fedora + + The kernel 'fs.suid_dumpable' parameter should be set to '0' + + + + + + + + + + + + Disable storing core dumps + + Fedora + + The 'kernel.core_pattern' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable storing core dumps + + Fedora + + The kernel 'kernel.core_pattern' parameter should be set to '|/bin/false' + + + + + + + + + Disable storing core dumps + + Fedora + + The kernel 'kernel.core_pattern' parameter should be set to '|/bin/false' + + + + + + + + + + + + Restrict Access to Kernel Message Buffer + + Fedora + + The 'kernel.dmesg_restrict' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Restrict Access to Kernel Message Buffer + + Fedora + + The kernel 'kernel.dmesg_restrict' parameter should be set to '1' + + + + + + + + + Restrict Access to Kernel Message Buffer + + Fedora + + The kernel 'kernel.dmesg_restrict' parameter should be set to '1' + + + + + + + + + + + + Disable Kernel Image Loading + + Fedora + + The 'kernel.kexec_load_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Image Loading + + Fedora + + The kernel 'kernel.kexec_load_disabled' parameter should be set to '1' + + + + + + + + + Disable Kernel Image Loading + + Fedora + + The kernel 'kernel.kexec_load_disabled' parameter should be set to '1' + + + + + + + + + + + + Restrict Exposed Kernel Pointer Addresses Access + + Fedora + + The 'kernel.kptr_restrict' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Restrict Exposed Kernel Pointer Addresses Access + + Fedora + + The kernel 'kernel.kptr_restrict' parameter should be set to '1' + + + + + + + + + Restrict Exposed Kernel Pointer Addresses Access + + Fedora + + The kernel 'kernel.kptr_restrict' parameter should be set to '1' + + + + + + + + + + + + Disable loading and unloading of kernel modules + + Fedora + + The 'kernel.modules_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable loading and unloading of kernel modules + + Fedora + + The kernel 'kernel.modules_disabled' parameter should be set to '1' + + + + + + + + + Disable loading and unloading of kernel modules + + Fedora + + The kernel 'kernel.modules_disabled' parameter should be set to '1' + + + + + + + + + + + + Limit CPU consumption of the Perf system + + Fedora + + The 'kernel.perf_cpu_time_max_percent' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Limit CPU consumption of the Perf system + + Fedora + + The kernel 'kernel.perf_cpu_time_max_percent' parameter should be set to '1' + + + + + + + + + Limit CPU consumption of the Perf system + + Fedora + + The kernel 'kernel.perf_cpu_time_max_percent' parameter should be set to '1' + + + + + + + + + + + + Limit sampling frequency of the Perf system + + Fedora + + The 'kernel.perf_event_max_sample_rate' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Limit sampling frequency of the Perf system + + Fedora + + The kernel 'kernel.perf_event_max_sample_rate' parameter should be set to '1' + + + + + + + + + Limit sampling frequency of the Perf system + + Fedora + + The kernel 'kernel.perf_event_max_sample_rate' parameter should be set to '1' + + + + + + + + + + + + Disallow kernel profiling by unprivileged users + + Fedora + + The 'kernel.perf_event_paranoid' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disallow kernel profiling by unprivileged users + + Fedora + + The kernel 'kernel.perf_event_paranoid' parameter should be set to '2' + + + + + + + + + Disallow kernel profiling by unprivileged users + + Fedora + + The kernel 'kernel.perf_event_paranoid' parameter should be set to '2' + + + + + + + + + + + + Configure maximum number of process identifiers + + Fedora + + The 'kernel.pid_max' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Configure maximum number of process identifiers + + Fedora + + The kernel 'kernel.pid_max' parameter should be set to '65536' + + + + + + + + + Configure maximum number of process identifiers + + Fedora + + The kernel 'kernel.pid_max' parameter should be set to '65536' + + + + + + + + + + + + Enable Randomized Layout of Virtual Address Space + + Fedora + + The 'kernel.randomize_va_space' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Randomized Layout of Virtual Address Space + + Fedora + + The kernel 'kernel.randomize_va_space' parameter should be set to '2' + + + + + + + + + Enable Randomized Layout of Virtual Address Space + + Fedora + + The kernel 'kernel.randomize_va_space' parameter should be set to '2' + + + + + + + + + + + + Disallow magic SysRq key + + Fedora + + The 'kernel.sysrq' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disallow magic SysRq key + + Fedora + + The kernel 'kernel.sysrq' parameter should be set to '0' + + + + + + + + + Disallow magic SysRq key + + Fedora + + The kernel 'kernel.sysrq' parameter should be set to '0' + + + + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + Fedora + + The 'kernel.unprivileged_bpf_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + Fedora + + The kernel 'kernel.unprivileged_bpf_disabled' parameter should be set to '1' + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + Fedora + + The kernel 'kernel.unprivileged_bpf_disabled' parameter should be set to '1' + + + + + + + + + + + + Restrict usage of ptrace to descendant processes + + Fedora + + The 'kernel.yama.ptrace_scope' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Restrict usage of ptrace to descendant processes + + Fedora + + The kernel 'kernel.yama.ptrace_scope' parameter should be set to '1' + + + + + + + + + Restrict usage of ptrace to descendant processes + + Fedora + + The kernel 'kernel.yama.ptrace_scope' parameter should be set to '1' + + + + + + + + + + + + Harden the operation of the BPF just-in-time compiler + + Fedora + + The 'net.core.bpf_jit_harden' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Harden the operation of the BPF just-in-time compiler + + Fedora + + The kernel 'net.core.bpf_jit_harden' parameter should be set to '2' + + + + + + + + + Harden the operation of the BPF just-in-time compiler + + Fedora + + The kernel 'net.core.bpf_jit_harden' parameter should be set to '2' + + + + + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.all.accept_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.all.accept_source_route' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.all.log_martians' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.all.rp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.all.secure_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.all.send_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Fedora + + The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to '0' + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Fedora + + The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to '0' + + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Fedora + + The 'net.ipv4.conf.default.accept_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Fedora + + The 'net.ipv4.conf.default.accept_source_route' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Fedora + + The 'net.ipv4.conf.default.log_martians' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Fedora + + The 'net.ipv4.conf.default.rp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + Fedora + + The 'net.ipv4.conf.default.secure_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Fedora + + The 'net.ipv4.conf.default.send_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Fedora + + The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to '0' + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Fedora + + The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to '0' + + + + + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Fedora + + The 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Fedora + + The 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Fedora + + The 'net.ipv4.ip_forward' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Fedora + + The kernel 'net.ipv4.ip_forward' parameter should be set to '0' + + + + + + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Fedora + + The kernel 'net.ipv4.ip_forward' parameter should be set to '0' + + + + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + + Fedora + + The 'net.ipv4.ip_local_port_range' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + + Fedora + + The kernel 'net.ipv4.ip_local_port_range' parameter should be set to '32768 65535' + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + + Fedora + + The kernel 'net.ipv4.ip_local_port_range' parameter should be set to '32768 65535' + + + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + Fedora + + The 'net.ipv4.tcp_syncookies' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.all.accept_ra_defrtr' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.all.accept_ra_pinfo' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.all.accept_ra_rtr_pref' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.all.autoconf' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to '1' + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to '1' + + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.all.max_addresses' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.all.router_solicitations' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Fedora + + The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + The kernel 'net.ipv6.conf.default.accept_ra_defrtr' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + The kernel 'net.ipv6.conf.default.accept_ra_pinfo' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + The kernel 'net.ipv6.conf.default.accept_ra_rtr_pref' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Fedora + + The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + Fedora + + The kernel 'net.ipv6.conf.default.autoconf' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Fedora + + The kernel 'net.ipv6.conf.default.max_addresses' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Fedora + + The kernel 'net.ipv6.conf.default.router_solicitations' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system runtime. + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Fedora + + the appropriate value in the system configuration. + + + + + + + + + + + + Disable the use of user namespaces + + Fedora + + The 'user.max_user_namespaces' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Disable the use of user namespaces + + Fedora + + The kernel 'user.max_user_namespaces' parameter should be set to '0' + + + + + + + + + Disable the use of user namespaces + + Fedora + + The kernel 'user.max_user_namespaces' parameter should be set to '0' + + + + + + + + + + + + Prevent applications from mapping low portion of virtual memory + + Fedora + + The 'vm.mmap_min_addr' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + Prevent applications from mapping low portion of virtual memory + + Fedora + + The kernel 'vm.mmap_min_addr' parameter should be set to '65536' + + + + + + + + + Prevent applications from mapping low portion of virtual memory + + Fedora + + The kernel 'vm.mmap_min_addr' parameter should be set to '65536' + + + + + + + + + + + + Enable dnf-automatic Timer + + Fedora + + The dnf-automatic timer should be enabled if possible. + + + + + + + + + + + + + Check pam_faillock Existence in system-auth + + Fedora + + Check that pam_faillock.so exists in system-auth + + + + + + + + + Check pam_pwquality Existence in system-auth + + Fedora + + Check that pam_pwquality.so exists in system-auth + + + + + + + + + Record Any Attempts to Run semanage + + Fedora + + Test if auditctl is in use for audit rules. + + + + + + + + + Record Any Attempts to Run semanage + + Fedora + + Test if augenrules is enabled for audit rules. + + + + + + + + + Record Events that Modify the System's Network Environment + + Fedora + + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Network Environment + + Fedora + + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + + + + + + + + + + + + + + + + + + + + + + + + 'log_group' Not Set To 'root' In /etc/audit/auditd.conf + + Fedora + + Verify 'log_group' is not set to 'root' in + /etc/audit/auditd.conf. + + + + + + + + + Verify GRUB_DISABLE_RECOVERY Set to true + + Fedora + + GRUB_DISABLE_RECOVERY set to 'true' in + /etc/default/grub + + + + + + + + + Specify Multiple Remote chronyd NTP Servers for Time Data + + Fedora + + Multiple chronyd NTP Servers for time synchronization should be specified. + + + + + + + + + GRUB_CMDLINE_LINUX_DEFAULT existance check + + Fedora + + Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub. + + + + + + + + + Install McAfee Host-Based Intrusion Detection Software (HBSS) + + Fedora + + McAfee Host-Based Intrusion Detection Software (HBSS) software + should be installed. + + + + + + + + + + + + CentOS 6 + + Fedora + + + The operating system installed on the system is + CentOS 6 + + + + + + + + + + CentOS 7 + + Fedora + + + The operating system installed on the system is + CentOS 7 + + + + + + + + + + CentOS 8 + + Fedora + + + The operating system installed on the system is + CentOS 8 + + + + + + + + + + + Debian + + Fedora + + The operating system installed is a Debian System + + + + + + + + + + Debian Linux 10 + + Fedora + + + The operating system installed on the system is Debian 10 + + + + + + + + + + Debian 9 + + Fedora + + + The operating system installed on the system is Debian 9 + + + + + + + + + + Installed operating system is Fedora + + Fedora + + + The operating system installed on the system is Fedora + + + + + + + + + + + Oracle Linux 7 + + Fedora + + + The operating system installed on the system is + Oracle Linux 7 + + + + + + + + + + + + Oracle Linux 8 + + Fedora + + + The operating system installed on the system is + Oracle Linux 8 + + + + + + + + + + + + openSUSE + + Fedora + + The operating system installed on the system is openSUSE. + + + + + + + + + + openSUSE Leap 15 + + Fedora + + + The operating system installed on the system is openSUSE Leap 15. + + + + + + + + + + openSUSE Leap 42 + + Fedora + + + + + The operating system installed on the system is openSUSE Leap 42. + + + + + + + + + + Installed operating system is part of the Unix family + + Fedora + + The operating system installed on the system is part of the Unix OS family + + + + + + + + + Red Hat Enterprise Linux CoreOS + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux CoreOS release 4 + + + + + + + + + + + + Red Hat Enterprise Linux 7 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 7 + + + + + + + + + + + + + + + + + + + Red Hat Enterprise Linux 8 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + + Red Hat Enterprise Linux 9 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 9 + + + + + + + + + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + The operating system installed on the system is + Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host. + + + + + + + + + + Scientific Linux 6 + + Fedora + + + The operating system installed on the system is + Scientific Linux 6 + + + + + + + + + + Scientific Linux 7 + + Fedora + + + The operating system installed on the system is + Scientific Linux 7 + + + + + + + + + + SUSE Linux Enterprise 12 + + Fedora + + + + The operating system installed on the system is + SUSE Linux Enterprise 12. + + + + + + + + + + + + + + SUSE Linux Enterprise 15 + + Fedora + + + + The operating system installed on the system is + SUSE Linux Enterprise 15. + + + + + + + + + + + + + + Ubuntu + + Fedora + + The operating system installed is an Ubuntu System + + + + + + + + + + + Ubuntu 1604 + + Fedora + + + The operating system installed on the system is Ubuntu 1604 + + + + + + + + + + Ubuntu 1804 + + Fedora + + + The operating system installed on the system is Ubuntu 1804 + + + + + + + + + + Ubuntu 2004 + + Fedora + + + The operating system installed on the system is Ubuntu 2004 + + + + + + + + + + WRLinux 1019 + + Fedora + + + The operating system installed on the system is + Wind River Linux 1019 + + + + + + + + + + + WRLinux 8 + + Fedora + + + The operating system installed on the system is + Wind River Linux 8 + + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + The application installed installed on the system is + Red Hat OpenStack Platform 10. + + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + The application installed installed on the system is + Red Hat OpenStack Platform 13. + + + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + The application installed installed on the system is + Red Hat Virtualization 4. + + + + + + + + + + Package chrony is installed + + Fedora + + Checks if package chrony is installed. + + + + + + + + + + Package gdm is installed + + Fedora + + Checks if package gdm is installed. + + + + + + + + + + Package grub2 is installed + + Fedora + + Checks if package grub2-common is installed. + + + + + + + + + + + + + + Package libuser is installed + + Fedora + + Checks if package libuser is installed. + + + + + + + + + + Package providing /etc/login.defs is installed + + Fedora + + Checks if package providing /etc/login.defs and is installed. + + + + + + + + + + Package net-snmp is installed + + Fedora + + Checks if package net-snmp is installed. + + + + + + + + + + Package nss-pam-ldapd is installed + + Fedora + + Checks if package nss-pam-ldapd is installed. + + + + + + + + + + Package ntp is installed + + Fedora + + Checks if package ntp is installed. + + + + + + + + + + Package pam is installed + + Fedora + + Checks if package pam is installed. + + + + + + + + + + Package sssd-common is installed + + Fedora + + Checks if package sssd-common is installed. + + + + + + + + + + Package sudo is installed + + Fedora + + Checks if package sudo is installed. + + + + + + + + + + Package systemd is installed + + Fedora + + Checks if package systemd is installed. + + + + + + + + + + Package yum is installed + + Fedora + + Checks if package yum is installed. + + + + + + + + + + System uses zIPL + + Fedora + + Checks if system uses zIPL bootloader. + + + + + + + + + + Check if the scan target is a container + + Fedora + + Check for presence of files characterizing container filesystems. + + + + + + + + + + + Check if the scan target is a machine + + Fedora + + Check for absence of files characterizing container filesystems. + + + + + + + + + + No CD/DVD drive is configured to automount in /etc/fstab + + Fedora + + Check the /etc/fstab and check if a CD/DVD drive + is not configured for automount. + + + + + + + + + Test for different architecture than s390x + + Fedora + + Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x + + + + + + + + + Device Files for Removable Media Partitions Does Not Exist on the System + + Fedora + + Verify if device file representing removable partitions + exist on the system + + + + + + + + + SSHD is not required to be installed or requirement not set + + Fedora + + If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. + + + + + + + + + + SSHD is required to be installed or requirement not set + + Fedora + + If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. + + + + + + + + + + It doesn't matter if sshd is installed or not + + Fedora + + Test if value sshd_required is 0. + + + + + + + + + OpenSSH Server is 7.4 or newer + + Fedora + + Check if version of OpenSSH Server is equal or higher than 7.4 + + + + + + + + + Verify The SSSD Configuration File Exists + + Fedora + + The /etc/sssd/sssd.conf file should exist if it is + in use. + + + + + + + + + SSSD is configured to use LDAP + + Fedora + + Identification provider is not set to ad within /etc/sssd/sssd.conf + + + + + + + + + + Kernel Runtime Parameter IPv6 Check + + Fedora + + Disables IPv6 for all network interfaces. + + + + + + + + + + + + Non-UEFI system boot mode check + + Fedora + + Check if System boot mode is non-UEFI. + + + + + + + + + + UEFI system boot mode check + + Fedora + + Check if system boot mode is UEFI. + + + + + + + + + + Test for 64-bit Architecture + + Fedora + + Generic test for 64-bit architectures to be used by other tests + + + + + + + + + + + + Test for aarch_64 Architecture + + Fedora + + Generic test for aarch_64 architecture to be used by other tests + + + + + + + + + Test for PPC and PPCLE Architecture + + Fedora + + Generic test for PPC PPC64LE architecture to be used by other tests + + + + + + + + + + Test for s390_64 Architecture + + Fedora + + Generic test for s390_64 architecture to be used by other tests + + + + + + + + + Test for x86 Architecture + + Fedora + + Generic test for x86 architecture to be used by other tests + + + + + + + + + Test for x86_64 Architecture + + Fedora + + Generic test for x86_64 architecture to be used by other tests + + + + + + + + + Check that file storing USBGuard rules exists and is not empty + + Fedora + + Check that file storing USBGuard rules at /etc/usbguard/rules.conf exists and is not empty + + + + + + + + + Value of 'var_accounts_user_umask' variable represented as octal number + + Fedora + + Value of 'var_accounts_user_umask' variable represented as octal number + + + + + + + + + Value of 'var_removable_partition' variable is set to '/dev/cdrom' + + Fedora + + Verify if value of 'var_removable_partition' variable is set + to '/dev/cdrom' + + + + + + + + + Value of 'var_umask_for_daemons' variable represented as octal number + + Fedora + + Value of 'var_umask_for_daemons' variable represented as octal number + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /etc/vsftpd/vsftpd.conf + ^[\s]*xferlog_enable[\s]*=[\s]*YES$ + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*banner_file=/etc/issue[\s]*$ + 1 + + + ^/etc/.+\.keytab$ + + + /etc/aliases + ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ + 1 + + + /etc/exports + ^(.*?(\binsecure_locks\b)[^$]*)$ + 1 + + + /etc/chrony.conf + ^\s*port[\s]+(\S+) + 1 + + + /etc/chrony.conf + ^\s*cmdport[\s]+(\S+) + 1 + + + /etc/ntp.conf + ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) + 1 + + + /etc/ntp.conf + ^server[\s]+[\S]+[\s]+(.*) + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^server[\s]+[\S]+[\s]+(.*) + 1 + + + /etc/sysconfig/chronyd + ^[ \t]*OPTIONS=(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/sysconfig/chronyd + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^[\s]*(?:server|pool)[\s]+.+$ + 1 + + + /etc/ntp.conf + ^[\s]*restrict[\s]+(-4[\s]*)?default(?=.*kod)(?=.*nomodify)(?=.*notrap)(?=.*nopeer)(?=.*noquery).*$ + 1 + + + /etc/ntp.conf + ^[\s]*restrict[\s]+-6[\s]+default(?=.*kod)(?=.*nomodify)(?=.*notrap)(?=.*nopeer)(?=.*noquery).*$ + 1 + + + /etc/sysconfig/ntpd + ^[\s]*OPTIONS=.*-u ntp:ntp.*$ + 1 + + + /usr/lib/systemd/system/ntpd.service + ^[\s]*ExecStart=.*-u ntp:ntp.*$ + 1 + + + /etc/ntp.conf + ^([\s]*server[\s]+.+$){2,}$ + 1 + + + /etc/ntp.conf + ^[\s]*server[\s]+.+$ + 1 + + + /root + ^\.(r|s)hosts$ + + + + /home + ^\.(r|s)hosts$ + + + /etc + ^s?hosts\.equiv$ + + + /etc/snmp/snmpd.conf + ^((?!#).)*(public|private).* + 1 + + + /etc/snmp/snmpd.conf + ^[\s]*(com2se|rocommunity|rwcommunity) + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)UsePrivilegeSeparation(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*true$ + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[nss](?:[^\n\[]*\n+)+?[\s]*memcache_timeout[\s]*=[\s]*(\d+)$ + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$ + 1 + + + ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ + ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*) + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ + 1 + + + /etc/usbguard/usbguard-daemon.conf + ^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/usbguard/usbguard-daemon.conf + + + /etc/systemd/system/default.target + + + + ^/etc/issue(\.d/.*)?$ + ^(.*)$ + 1 + + + + /etc/motd + ^(.*)$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/banner-message-enable$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/banner-message-text$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^banner-message-text=[\s]*'*(.*?)'$ + 1 + + + + /etc/pam.d/postlogin + [\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n] + 1 + + + /etc/pam.d/login + ^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+silent(\s|$) + 1 + + + /etc/pam.d/login + ^\s*session\s+required\s+pam_namespace\.so\s*$ + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+\[.*default=([0-9]+).*\][\s]+pam_unix\.so + 1 + + + /etc/pam.d/system-auth + + 1 + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+\[[^\]]*default=([0-9]+)[^\]]*\][\s]+pam_unix\.so + 1 + + + /etc/pam.d/password-auth + + 1 + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+) + 1 + + + /etc/pam.d/system-auth + [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+) + 1 + + + /etc/pam.d/password-auth + [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] + 1 + + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*account\s+required\s+pam_faillock\.so.*$ + 1 + + + /etc/pam.d/system-auth + ^\s*account\s+required\s+pam_faillock\.so.*$ + 1 + + + + oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1 + oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1 + + + + + oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_system-auth:obj:1 + oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:obj:1 + + + + + oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:obj:1 + oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_password-auth:obj:1 + + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=(\w*).*$ + 1 + + + oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ + 1 + + + /etc/libuser.conf + ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ + 1 + + + + /etc/login.defs + .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n + 1 + + + oval:ssg-variable_last_encrypt_method_instance_value:var:1 + + + /etc/pam.d/system-auth + ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ + 1 + + + /etc/systemd/system/ctrl-alt-del.target + + + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ + 1 + + + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ + 1 + + + /usr/lib/systemd/system/emergency.service + ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency + 1 + + + /usr/lib/systemd/system/emergency.target + ^Requires=.*emergency.service + 1 + + + + /etc/systemd/system + ^emergency.service$ + + + + /etc/systemd/system + ^emergency.target$ + + + /usr/lib/systemd/system/rescue.service + ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue + 1 + + + /usr/lib/systemd/system/runlevel1.target + ^Requires=.*rescue.service + 1 + + + + /etc/systemd/system + ^rescue.service$ + + + + /etc/systemd/system + ^runlevel1.target$ + + + + /etc/bashrc + ^(.*)$ + 1 + + + /etc/tmux.conf + ^\s*set\s+-g\s+lock-after-time\s+900\s*(?:#.*)?$ + 1 + + + /etc/tmux.conf + ^\s*set\s+-g\s+lock-command\s+vlock\s*(?:#.*)?$ + 1 + + + /etc/shells + tmux$ + 1 + + + ^/etc/opensc.*.conf$ + ^[\s]+card_drivers[\s]+=[\s]+(\S+);$ + 1 + + + /etc/pki/nssdb/pkcs11.txt + ^library=opensc.*.so$ + 1 + + + ^/etc/opensc.*.conf$ + ^[\s]+force_card_driver[\s]+=[\s]+(\S+);$ + 1 + + + /etc/pam_pkcs11/pam_pkcs11.conf + ^[\s]*cert_policy[ ]=(.*)$ + 1 + + + + /etc/pam.d/system-auth + + 1 + + + + /etc/pam.d/system-auth + + 1 + + + + /etc/pam.d/smartcard-auth + + 1 + + + /etc/default/useradd + ^\s*INACTIVE\s*=\s*(\d+)\s*$ + 1 + + + /etc/passwd + ^([^:]+):.*$ + 1 + + + oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 + + + /etc/login.defs + ^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_max_days_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_min_days_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_min_len_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_warn_age_instance_value:var:1 + + + .* + + + ^/etc/pam.d/password-auth$ + ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ + 1 + + + oval:ssg-var_password_pam_unix_rounds:var:1 + + + ^/etc/pam.d/system-auth$ + ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ + 1 + + + oval:ssg-var_password_pam_unix_rounds:var:1 + + + /etc/group + ^.*:x:([0-9]+): + 1 + + + /etc/passwd + ^.*:[0-9]+:([0-9]+): + 1 + + + /etc/pam.d/system-auth + ^[^#]*\bnullok\b.*$ + 1 + + + /etc/group + ^\+.*$ + 1 + + + /etc/passwd + ^\+.*$ + 1 + + + /etc/shadow + ^\+.*$ + 1 + + + + /home + ^\.netrc$ + + + /etc/passwd + ^(?!root:)[^:]*:[^:]*:0 + 1 + + + /etc/securetty + ^.*$ + 1 + + + /etc/securetty + ^$ + 1 + + + + /etc/login.defs + .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n + 1 + + + + /etc/login.defs + .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n + 1 + + + + /etc/login.defs + .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n + 1 + + + /etc/passwd + ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ + 1 + + + /etc/securetty + ^ttyS[0-9]+$ + 1 + + + /etc/securetty + ^vc/[0-9]+$ + 1 + + + /etc/pam.d/su + ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ + 1 + + + /etc/login.defs + ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:#.*)?$ + 1 + + + /etc/login.defs + ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) + 1 + + + /etc/security/limits.conf + ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins + 1 + + + /tmp/tmp-inst + + + + /etc/security/namespace.conf + ^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$ + 1 + + + /var/tmp/tmp-inst + + + + /etc/security/namespace.conf + ^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$ + 1 + + + /etc/profile + ^[\s]*TMOUT=([\w$]+).*$ + 1 + + + /etc/profile.d + ^.*\.sh$ + ^[\s]*TMOUT=([\w$]+).*$ + 1 + + + + /home + + oval:ssg-state_home_dirs_home_itself:ste:1 + oval:ssg-state_home_dirs_wrong_perm:ste:1 + + + + PATH + + + + + oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 + oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 + + + + PATH + + + /etc/login.defs + ^[\s]*UMASK[\s]+([^#\s]*) + 1 + + + oval:ssg-var_etc_login_defs_umask_as_number:var:1 + + + /etc/profile + ^[\s]*umask[\s]+([^#\s]*) + 1 + + + oval:ssg-var_etc_profile_umask_as_number:var:1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+task,never[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+task,never[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-e\s+2\s*$ + 1 + + + /etc/audit/audit.rules + ^\-e\s+2\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0750:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0700:ste:1 + + + + /var/log/audit + + oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 + + + + /var/log/audit + + oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0640:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0600:ste:1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + + / + [a-z]+ + oval:ssg-state_setuid_or_setgid_set:ste:1 + oval:ssg-state_dev_proc_sys_dirs:ste:1 + + + oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 + + + /etc/audit/audit.rules + ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audisp-remote.conf + ^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/audisp-remote.conf + ^[ ]*transport[ ]+=[ ]+KRB5[ ]*$ + 1 + + + /etc/audit/plugins.d/syslog.conf + ^[ ]*active[ ]+=[ ]+yes[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + ^/boot/grub2/grub.cfg + + + /boot/grub2/grub.cfg + ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ + 1 + + + ^/boot/grub2/grub.cfg + + + /boot/grub2/grub.cfg + ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ + 1 + + + /boot/grub2/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ + 1 + + + /boot/grub2/grub.cfg + ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ + 1 + + + ^/boot/efi/EFI/fedora/grub.cfg + + + /boot/efi/EFI/fedora/grub.cfg + ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ + 1 + + + ^/boot/efi/EFI/fedora/grub.cfg + + + /boot/efi/EFI/fedora/grub.cfg + ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ + 1 + + + /boot/efi/EFI/fedora/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ + 1 + + + /boot/efi/EFI/fedora/grub.cfg + ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ + 1 + + + /etc/logwatch/conf/logwatch.conf + ^[\s]HostLimit[\s]*=[\s]*no[\s]*$ + 1 + + + /etc/logwatch/conf/logwatch.conf + ^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$ + 1 + + + /etc/rsyslog.conf + ^[\s]*cron\.\*[\s]+/var/log/cron$ + 1 + + + /etc/rsyslog.d + ^.*$ + ^[\s]*cron\.\*[\s]+/var/log/cron$ + 1 + + + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + oval:ssg-var_rfg_include_config_regex:var:1 + + + oval:ssg-var_rfg_syslog_config:var:1 + + + + oval:ssg-object_var_rfg_include_config_regex:obj:1 + oval:ssg-object_var_rfg_syslog_config:obj:1 + + + + + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 + oval:ssg-state_groupownership_ignore_include_paths:ste:1 + + + + + + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + oval:ssg-var_rfo_include_config_regex:var:1 + + + oval:ssg-var_rfo_syslog_config:var:1 + + + + oval:ssg-object_var_rfo_include_config_regex:obj:1 + oval:ssg-object_var_rfo_syslog_config:obj:1 + + + + + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 + oval:ssg-state_owner_ignore_include_paths:ste:1 + + + + + + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + oval:ssg-var_rfp_include_config_regex:var:1 + + + oval:ssg-var_rfp_syslog_config:var:1 + + + + oval:ssg-object_var_rfp_include_config_regex:obj:1 + oval:ssg-object_var_rfp_syslog_config:obj:1 + + + + + ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 + oval:ssg-state_permissions_ignore_include_paths:ste:1 + + + + + + /etc/logrotate.conf + ^\s*daily[\s#]*$ + 1 + + + /etc/logrotate.conf + ^\s*(weekly|monthly|yearly)[\s#]*$ + 1 + + + /etc/cron.daily/logrotate + ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ + 1 + + + /etc/rsyslog.conf + ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp)) + 1 + + + /etc/rsyslog.conf + ^\*\.\*[\s]+(?:@|\:omrelp\:) + 1 + + + /etc/rsyslog.d + .* + ^\*\.\*[\s]+(?:@|\:omrelp\:) + 1 + + + + ^/etc/rsyslog\.(conf|d/.+\.conf)$ + ^\s*action\((?i)type(?-i)="omfwd"(.+?)\) + 0 + + + ^/etc/rsyslog\.(conf|d/.+\.conf)$ + ^\s*global\(DefaultNetstreamDriverCAFile="(.+?)"\)\s*\n + 0 + + + /etc/sysconfig/network + ^[\s]*NOZEROCONF[\s]*=[\s]*yes + 1 + + + ^/etc/polkit-1/localauthority/20-org.d/.*$ + ^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$ + 1 + + + ^.*$ + oval:ssg-state_promisc:ste:1 + + + /etc/firewalld/firewalld.conf + ^DefaultZone=drop$ + 1 + + + /etc/sysconfig/network-scripts + ifcfg-.* + ^IPV6_DEFAULTGW=.+$ + 1 + + + /etc/sysconfig/network-scripts + ifcfg-.* + ^IPV6_PRIVACY=rfc3041$ + 1 + + + /etc/sysconfig/network-scripts + ifcfg-.* + ^IPV6ADDR=.+$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*options\s+ipv6\s+.*disable=1.*$ + 1 + + + /etc/netconfig + ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ + 1 + + + /etc/netconfig + ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ + 1 + + + /proc/net/wireless + ^\s*[-\w]+: + 1 + + + + / + + oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 + + + + / + + oval:ssg-state_world_writable_and_not_sticky:ste:1 + + + + / + + oval:ssg-state_uid_is_user_and_world_writable:ste:1 + + + + / + + oval:ssg-state_gid_is_user_and_world_writable:ste:1 + + + /boot + ^System\.map.*$ + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1 + oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1 + + + + .* + .* + .* + .* + .* + + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1 + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1 + oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1 + + + + .* + .* + .* + .* + .* + + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1 + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_world_write:ste:1 + oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1 + oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 + oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 + + + + / + .* + oval:ssg-state_file_permissions_ungroupowned:ste:1 + + + /etc/group + ^[^:]+:[^:]*:([\d]+):[^:]*$ + 1 + + + .* + + + + / + .* + oval:ssg-file_permissions_unowned_userid_list_match:ste:1 + + + ^\/lib(|64)|^\/usr\/lib(|64) + + oval:ssg-dir_state_perms_nogroupwrite_noworldwrite:ste:1 + oval:ssg-dir_perms_state_symlink:ste:1 + + + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec + + oval:ssg-state_owner_binaries_not_root:ste:1 + + + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec + ^.*$ + oval:ssg-state_owner_binaries_not_root:ste:1 + + + ^\/lib(|64)\/|^\/usr\/lib(|64)\/ + + oval:ssg-state_owner_libraries_not_root:ste:1 + + + ^\/lib(|64)\/|^\/usr\/lib(|64)\/ + ^.*$ + oval:ssg-state_owner_libraries_not_root:ste:1 + + + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec + ^.*$ + oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 + oval:ssg-state_perms_binary_files_symlink:ste:1 + + + ^\/lib(|64)|^\/usr\/lib(|64) + + oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 + oval:ssg-perms_state_symlink:ste:1 + + + ^\/lib(|64)|^\/usr\/lib(|64) + ^.*$ + oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 + oval:ssg-perms_state_symlink:ste:1 + + + /etc/default/grub + ^[ \t]*GRUB_CMDLINE_LINUX=([^#]*).*$ + 1 + + + ^/\w.*$ + oval:ssg-state_local_nodev:ste:1 + + + /etc/fstab + ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ + 1 + + + ^/var/tmp$ + + + /etc/mtab + ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ + 1 + + + ^/tmp$ + + + /etc/systemd/coredump.conf + ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/systemd/coredump.conf + ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/security/limits.conf + ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:hard|-)[\s]+core + 1 + + + /etc/init.d/functions + ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) + 1 + + + oval:ssg-var_etc_init_d_functions_umask_as_number:var:1 + + + /etc/sysctl.conf + ^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.exec-shield + + + /boot/grub2/grub.cfg + [\s]*noexec[\s]*=[\s]*off + 1 + + + kernel-PAE + + + /proc/cpuinfo + ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ + 1 + + + /etc/sysconfig/kernel + ^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$ + 1 + + + /etc/default/grub + ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ + 1 + + + /etc/grub2.cfg + ^.*(selinux|enforcing)=0.*$ + 1 + + + /etc/grub.d + ^.*$ + ^.*(selinux|enforcing)=0.*$ + 1 + + + + /dev + ^.*$ + oval:ssg-state_block_or_char_device_file:ste:1 + + + + oval:ssg-state_selinux_dev_device_t:ste:1 + + + + oval:ssg-state_selinux_dev_unlabeled_t:ste:1 + + + + /proc + ^.*$ + oval:ssg-state_selinux_confinement_of_daemons:ste:1 + + + /etc/selinux/config + ^SELINUXTYPE=([\w]*)[\s]*$ + 1 + + + /etc/selinux/config + ^SELINUX=(.*)$ + 1 + + + /proc/cpuinfo + ^flags\s+:\s+(.*)$ + 1 + + + /proc/sys/kernel/osrelease + ^.*\.(.*)$ + 1 + + + /etc/dconf/db/local + + + ^/etc/dconf/db/local.d/.* + + + oval:ssg-var_dconf_local_db_modified_time:var:1 + + + /etc/dconf/profile/user + ^user-db:user\nsystem-db:local$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-restart-buttons=true$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/disable-restart-buttons$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/disable-user-list$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/enable-smartcard-authentication$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?allowed-failures=3$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/allowed-failures$ + 1 + + + /etc/gdm/custom.conf + ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ + 1 + + + /etc/gdm/custom.conf + ^\[daemon]([^\n]*\n+)+?TimedLoginEnable=[Ff]alse$ + 1 + + + /etc/gdm/custom.conf + ^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/gdm/custom.conf + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/media-handling/automount$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/media-handling/automount-open$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/media-handling/autorun-never$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/thumbnailers/disable-all$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/nm-applet]([^\n]*\n+)+?disable-wifi-create=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/nm-applet/disable-wifi-create$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/nm-applet]([^\n]*\n+)+?suppress-wireless-networks-available=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/nm-applet/suppress-wireless-networks-available$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/Vino]([^\n]*\n+)+?authentication-methods=\['vnc'\]$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/Vino/authentication-methods$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/Vino]([^\n]*\n+)+?require-encryption=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/Vino/require-encryption$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/idle-activation-enabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/idle-activation-enabled$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/session/idle-delay$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^idle-delay[\s=]*uint32[\s]([^=\s]*) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-delay$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^lock-delay[\s=]*uint32[\s]([^=\s]*) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-enabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-enabled$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=(string[\s])?\'\'$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/picture-uri$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?show-full-name-in-top-bar=false$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-delay$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/session/idle-delay$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout[\s]*=[\s]*''$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/settings-daemon/plugins/media-keys/logout$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/system/location]([^\n]*\n+)+?enabled=false$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/system/location/enabled$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/clocks]([^\n]*\n+)+?geolocation=false$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/clocks/geolocation$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/settings-daemon/plugins/power]([^\n]*\n+)+?active=false$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/settings-daemon/plugins/power/active$ + 1 + + + /etc/named.conf + ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ + 1 + + + /etc/crypto-policies/state/current + + + /etc/crypto-policies/config + + + oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 + + + /etc/crypto-policies/config + ^(?!#)(\S+)$ + 1 + + + /etc/crypto-policies/state/current + ^(?!#)(\S+)$ + 1 + + + /etc/crypto-policies/back-ends/nss.config + + + oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 + + + /etc/krb5.conf.d/crypto-policies + + + /etc/crypto-policies/back-ends/krb5.config + + + /etc/ipsec.conf + ^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$ + 1 + + + /etc/pki/tls/openssl.cnf + ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$ + 1 + + + /etc/sysconfig/sshd + ^\s*CRYPTO_POLICY\s*=.*$ + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^[ \t]*Match[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*RekeyLimit[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*GSSAPIAuthentication[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*Ciphers[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*PubkeyAcceptedKeyTypes[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*MACs[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*KexAlgorithms[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/crypto-policies/back-ends/opensshserver.config + ^(?:.*\n)*\s*CRYPTO_POLICY=(.+?)[ \t]*(?:$|#) + 1 + + + /etc/selinux/config + ^[\s]*SELINUX[\s]*=[\s]*enforcing[\s]*$ + 1 + + + McAfeeVSEForLinux + + + MFErt + + + MFEcma + + + /opt/McAfee/accm/bin + accm + + + /opt/McAfee/auditengine/bin + auditmanager + + + /etc/dracut.conf.d/40-fips.conf + ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$ + 1 + + + oval:ssg-var_system_crypto_policy:var:1 + + + /etc/system-fips + + + crypto.fips_enabled + + + /etc/aide.conf + ^@@define[\s]DBDIR[\s]+(/.*)$ + 1 + + + /etc/aide.conf + ^database_out=file:@@{DBDIR}/([a-z.]+)$ + 1 + + + /etc/aide.conf + ^database=file:@@{DBDIR}/([a-z.]+)$ + 1 + + + + + + + + + /etc/crontab + ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + /etc/cron.d + ^.*$ + ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + /var/spool/cron/root + ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + ^/etc/cron.(daily|weekly)$ + ^.*$ + ^\s*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + + .* + .* + .* + .* + .* + ^/(bin|sbin|lib|lib64|usr)/.+$ + oval:ssg-state_files_fail_md5_hash:ste:1 + + + + .* + .* + .* + .* + .* + .* + oval:ssg-state_files_fail_mode:ste:1 + + + /etc/sudoers + ^(?!#).*[\s]+\!authenticate.*$ + 1 + + + /etc/sudoers.d + ^.*$ + ^(?!#).*[\s]+\!authenticate.*$ + 1 + + + /etc/sudoers + ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + /etc/sudoers.d + ^.*$ + ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + /etc/sudoers + ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + /etc/sudoers.d + ^.*$ + ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).* + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\) + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s] + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !targetpw$\r?\n + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !rootpw$\r?\n + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !runaspw$\r?\n + 1 + + + /etc/dnf/automatic.conf + ^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/dnf/automatic.conf + + + /etc/dnf/automatic.conf + ^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/dnf/automatic.conf + + + gpg-pubkey + + + /etc/dnf/dnf.conf + ^\s*gpgcheck\s*=\s*1\s*$ + 1 + + + /etc/dnf/dnf.conf + ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ + 1 + + + /etc/yum.repos.d + .* + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + + + /etc/security/pwquality.conf + ^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^difok[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^[\s]*local_users_only[\s]*$ + 1 + + + /etc/security/pwquality.conf + ^[\s]*enforce_for_root[\s]*$ + 1 + + + /etc/security/pwquality.conf + ^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^maxclassrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^maxrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^minclass[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^minlen[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/security/faillock.conf + ^[\s]*local_users_only[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)freq(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]* + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)log_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]* + 1 + + + ^/boot/loader/entries/ostree-2-.*.conf + + + ^/boot/loader/entries/ostree-1-.*.conf + ^options (.*)$ + 1 + + + ^/boot/loader/entries/ostree-2-.*.conf + ^options (.*)$ + 1 + + + ^/proc/cmdline + ^BOOT_IMAGE(.*)$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\s*\[org/gnome/desktop/lockdown\].*(?:\n\s*[^[\s].*)*\n^\s*user-administration-disabled[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/dconf/db/local.d/locks + ^.*$ + ^/org/gnome/desktop/lockdown/user-administration-disabled$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\s*\[org/gnome/settings-daemon/peripherals/smartcard\].*(?:\n\s*[^[\s].*)*\n^\s*removal-action[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/dconf/db/local.d/locks + ^.*$ + ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+ + 1 + + + /etc/group- + + + /etc/gshadow- + + + /etc/passwd- + + + /etc/shadow- + + + /boot/efi/EFI/fedora/grub.cfg + + + /etc/group + + + /etc/gshadow + + + /etc/issue + + + /etc/motd + + + /etc/passwd + + + /etc/shadow + + + /boot/grub2/grub.cfg + + + /var/log/ + + + + /var/log/messages + + + /etc/group- + + + /etc/gshadow- + + + /etc/passwd- + + + /etc/shadow- + + + /boot/efi/EFI/fedora/grub.cfg + + + /etc/group + + + /etc/gshadow + + + /etc/issue + + + /etc/motd + + + /etc/passwd + + + /etc/shadow + + + /boot/grub2/grub.cfg + + + /var/log/ + + + + /var/log/messages + + + /etc/group- + oval:ssg-state_file_permissions_backup_etc_group_mode_not_0644:ste:1 + + + /etc/gshadow- + oval:ssg-state_file_permissions_backup_etc_gshadow_mode_not_0000:ste:1 + + + /etc/passwd- + oval:ssg-state_file_permissions_backup_etc_passwd_mode_not_0644:ste:1 + + + /etc/shadow- + oval:ssg-state_file_permissions_backup_etc_shadow_mode_not_0000:ste:1 + + + /boot/efi/EFI/fedora/grub.cfg + oval:ssg-state_file_permissions_efi_grub2_cfg_mode_not_0700:ste:1 + + + /etc/group + oval:ssg-state_file_permissions_etc_group_mode_not_0644:ste:1 + + + /etc/gshadow + oval:ssg-state_file_permissions_etc_gshadow_mode_not_0000:ste:1 + + + /etc/issue + oval:ssg-state_file_permissions_etc_issue_mode_not_0644:ste:1 + + + /etc/motd + oval:ssg-state_file_permissions_etc_motd_mode_not_0644:ste:1 + + + /etc/passwd + oval:ssg-state_file_permissions_etc_passwd_mode_not_0644:ste:1 + + + /etc/shadow + oval:ssg-state_file_permissions_etc_shadow_mode_not_0000:ste:1 + + + /boot/grub2/grub.cfg + oval:ssg-state_file_permissions_grub2_cfg_mode_not_0600:ste:1 + + + /etc/ssh/ + ^.*_key$ + oval:ssg-state_file_permissions_sshd_private_key_mode_not_0640:ste:1 + + + /etc/ssh/ + ^.*.pub$ + oval:ssg-state_file_permissions_sshd_pub_key_mode_not_0644:ste:1 + + + /var/log/ + + oval:ssg-state_file_permissions_var_log_mode_not_0755:ste:1 + + + /var/log/messages + oval:ssg-state_file_permissions_var_log_messages_mode_not_0640:ste:1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + openssl-pkcs11 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /boot + + + /boot + + + /boot + + + /boot + + + /dev/shm + + + /dev/shm + + + /dev/shm + + + /home + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /opt + + + /srv + + + /tmp + + + /tmp + + + /tmp + + + /var/log/audit + + + /var/log/audit + + + /var/log/audit + + + /var/log + + + /var/log + + + /var/log + + + /var + + + /var + + + /var + + + GConf2 + + + MFEhiplsm + + + abrt-addon-ccpp + + + abrt-addon-kerneloops + + + abrt-addon-python + + + abrt-cli + + + abrt-plugin-logger + + + abrt-plugin-rhtsupport + + + abrt-plugin-sosreport + + + abrt + + + aide + + + audispd-plugins + + + audit-audispd-plugins + + + audit + + + avahi + + + bind + + + binutils + + + chrony + + + cron + + + cryptsetup-luks + + + dconf + + + dnf-automatic + + + esc + + + fapolicyd + + + gdm + + + gdm + + + geolite2-city + + + geolite2-country + + + gnutls-utils + + + gssproxy + + + inetutils-telnetd + + + iprutils + + + iptables + + + krb5-workstation + + + libcap-ng-utils + + + libreswan + + + libselinux + + + mcstrans + + + net-snmp + + + nfs-utils + + + nis + + + nss-tools + + + ntp + + + ntpdate + + + openldap-clients + + + opensc + + + openscap-scanner + + + openssh-server + + + openssh-server + + + pam_ldap + + + pcsc-lite + + + policycoreutils + + + prelink + + + rear + + + rng-tools + + + rsyslog-gnutls + + + rsyslog + + + samba-common + + + scap-security-guide + + + screen + + + sendmail + + + setroubleshoot-plugins + + + setroubleshoot-server + + + setroubleshoot + + + sssd-ipa + + + sudo + + + syslogng + + + tar + + + telnetd-ssl + + + telnetd + + + tmux + + + tuned + + + usbguard + + + vim + + + vsftpd + + + vsftpd + + + xorg-x11-server-common + + + /boot + + + /home + + + /opt + + + /srv + + + /tmp + + + /usr + + + /var + + + /var/log + + + /var/log/audit + + + ^atd\.(service|socket)$ + ActiveState + + + ^atd\.(service|socket)$ + LoadState + + + ^atd\.(service|socket)$ + FragmentPath + + + at + + + multi-user.target + + + multi-user.target + + + ^auditd\.(socket|service)$ + ActiveState + + + audit + + + ^autofs\.(service|socket)$ + ActiveState + + + ^autofs\.(service|socket)$ + LoadState + + + ^autofs\.(service|socket)$ + FragmentPath + + + autofs + + + ^bluetooth\.(service|socket)$ + ActiveState + + + ^bluetooth\.(service|socket)$ + LoadState + + + ^bluetooth\.(service|socket)$ + FragmentPath + + + bluez + + + multi-user.target + + + multi-user.target + + + ^chronyd\.(socket|service)$ + ActiveState + + + chrony + + + multi-user.target + + + multi-user.target + + + ^cron\.(socket|service)$ + ActiveState + + + cron + + + multi-user.target + + + multi-user.target + + + ^crond\.(socket|service)$ + ActiveState + + + cronie + + + ^debug-shell\.(service|socket)$ + ActiveState + + + ^debug-shell\.(service|socket)$ + LoadState + + + ^debug-shell\.(service|socket)$ + FragmentPath + + + systemd + + + multi-user.target + + + multi-user.target + + + ^firewalld\.(socket|service)$ + ActiveState + + + firewalld + + + multi-user.target + + + multi-user.target + + + ^ip6tables\.(socket|service)$ + ActiveState + + + iptables-ipv6 + + + multi-user.target + + + multi-user.target + + + ^iptables\.(socket|service)$ + ActiveState + + + iptables + + + ^netfs\.(service|socket)$ + ActiveState + + + ^netfs\.(service|socket)$ + LoadState + + + ^netfs\.(service|socket)$ + FragmentPath + + + netfs + + + ^nfs-server\.(service|socket)$ + ActiveState + + + ^nfs-server\.(service|socket)$ + LoadState + + + ^nfs-server\.(service|socket)$ + FragmentPath + + + nfs-utils + + + ^nfslock\.(service|socket)$ + ActiveState + + + ^nfslock\.(service|socket)$ + LoadState + + + ^nfslock\.(service|socket)$ + FragmentPath + + + nfs-utils + + + multi-user.target + + + multi-user.target + + + ^ntp\.(socket|service)$ + ActiveState + + + ntp + + + multi-user.target + + + multi-user.target + + + ^ntpd\.(socket|service)$ + ActiveState + + + ntp + + + multi-user.target + + + multi-user.target + + + ^pcscd\.(socket|service)$ + ActiveState + + + pcsc-lite + + + multi-user.target + + + multi-user.target + + + ^rngd\.(socket|service)$ + ActiveState + + + rng-tools + + + ^rpcgssd\.(service|socket)$ + ActiveState + + + ^rpcgssd\.(service|socket)$ + LoadState + + + ^rpcgssd\.(service|socket)$ + FragmentPath + + + nfs-utils + + + ^rpcidmapd\.(service|socket)$ + ActiveState + + + ^rpcidmapd\.(service|socket)$ + LoadState + + + ^rpcidmapd\.(service|socket)$ + FragmentPath + + + nfs-utils + + + ^rpcsvcgssd\.(service|socket)$ + ActiveState + + + ^rpcsvcgssd\.(service|socket)$ + LoadState + + + ^rpcsvcgssd\.(service|socket)$ + FragmentPath + + + nfs-utils + + + ^rsyncd\.(service|socket)$ + ActiveState + + + ^rsyncd\.(service|socket)$ + LoadState + + + ^rsyncd\.(service|socket)$ + FragmentPath + + + rsync-daemon + + + multi-user.target + + + multi-user.target + + + ^rsyslog\.(socket|service)$ + ActiveState + + + rsyslog + + + ^sshd\.(service|socket)$ + ActiveState + + + ^sshd\.(service|socket)$ + LoadState + + + ^sshd\.(service|socket)$ + FragmentPath + + + openssh-server + + + ^sssd\.(service|socket)$ + ActiveState + + + ^sssd\.(service|socket)$ + LoadState + + + ^sssd\.(service|socket)$ + FragmentPath + + + sssd-common + + + ^syslog\.(service|socket)$ + ActiveState + + + ^syslog\.(service|socket)$ + LoadState + + + ^syslog\.(service|socket)$ + FragmentPath + + + rsyslog + + + multi-user.target + + + multi-user.target + + + ^syslogng\.(socket|service)$ + ActiveState + + + syslogng + + + ^systemd-coredump\.(service|socket)$ + ActiveState + + + ^systemd-coredump\.(service|socket)$ + LoadState + + + ^systemd-coredump\.(service|socket)$ + FragmentPath + + + systemd + + + multi-user.target + + + multi-user.target + + + ^usbguard\.(socket|service)$ + ActiveState + + + usbguard + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)StrictModes(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PrintLastLog(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+ + 1 + + + ^/etc/sudoers(|\.d/.*)$ + ^[\s]*Defaults.*\bnoexec\b.*$ + 1 + + + ^/etc/sudoers(|\.d/.*)$ + ^[\s]*Defaults.*\brequiretty\b.*$ + 1 + + + ^/etc/sudoers(|\.d/.*)$ + ^[\s]*Defaults.*\buse_pty\b.*$ + 1 + + + fs.protected_hardlinks + + + /etc/sysctl.conf + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + fs.protected_symlinks + + + /etc/sysctl.conf + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + fs.suid_dumpable + + + /etc/sysctl.conf + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + kernel.core_pattern + + + /etc/sysctl.conf + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + kernel.dmesg_restrict + + + /etc/sysctl.conf + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.kexec_load_disabled + + + /etc/sysctl.conf + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.kptr_restrict + + + /etc/sysctl.conf + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.modules_disabled + + + /etc/sysctl.conf + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.perf_cpu_time_max_percent + + + /etc/sysctl.conf + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.perf_event_max_sample_rate + + + /etc/sysctl.conf + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.perf_event_paranoid + + + /etc/sysctl.conf + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + kernel.pid_max + + + /etc/sysctl.conf + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + kernel.randomize_va_space + + + /etc/sysctl.conf + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + kernel.sysrq + + + /etc/sysctl.conf + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + kernel.unprivileged_bpf_disabled + + + /etc/sysctl.conf + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + kernel.yama.ptrace_scope + + + /etc/sysctl.conf + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + net.core.bpf_jit_harden + + + /etc/sysctl.conf + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + net.ipv4.conf.all.accept_redirects + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.all.accept_source_route + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.all.log_martians + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.all.rp_filter + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.all.secure_redirects + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.all.send_redirects + + + /etc/sysctl.conf + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + net.ipv4.conf.default.accept_redirects + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.default.accept_source_route + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.default.log_martians + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.default.rp_filter + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.default.secure_redirects + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.conf.default.send_redirects + + + /etc/sysctl.conf + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + net.ipv4.icmp_echo_ignore_broadcasts + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.icmp_ignore_bogus_error_responses + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv4.ip_forward + + + /etc/sysctl.conf + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + net.ipv4.ip_local_port_range + + + /etc/sysctl.conf + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + net.ipv4.tcp_syncookies + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.all.accept_ra_defrtr + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.all.accept_ra_pinfo + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.all.accept_ra_rtr_pref + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.all.autoconf + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.all.disable_ipv6 + + + /etc/sysctl.conf + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + net.ipv6.conf.all.max_addresses + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.all.router_solicitations + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.accept_ra + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.accept_ra_defrtr + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.accept_ra_pinfo + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.accept_ra_rtr_pref + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.accept_redirects + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.autoconf + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.max_addresses + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + net.ipv6.conf.default.router_solicitations + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + user.max_user_namespaces + + + /etc/sysctl.conf + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + vm.mmap_min_addr + + + /etc/sysctl.conf + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + multi-user.target + + + dnf-automatic\.timer + ActiveState + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$ + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ + 1 + + + /usr/lib/systemd/system/auditd.service + ^ExecStartPost=\-\/sbin\/auditctl.*$ + 1 + + + /usr/lib/systemd/system/auditd.service + ^ExecStartPost=\-\/sbin\/augenrules.*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*log_group[ ]+=[ ]+root[ ]*$ + 1 + + + /etc/default/grub + ^\s*GRUB_DISABLE_RECOVERY=(.*)$ + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^([\s]*server[\s]+.+$){2,}$ + 1 + + + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ + 1 + + + centos-release + + + centos-release + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)"$ + 1 + + + /etc/debian_version + + + /etc/debian_version + ^10.[0-9]+$ + 1 + + + /etc/debian_version + ^9.[0-9]+$ + 1 + + + fedora-release.* + + + /etc/system-release-cpe + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + 1 + + + oraclelinux-release + + + oraclelinux-release + + + openSUSE-release + + + openSUSE-release + + + openSUSE-release + + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)\.\d+"$ + 1 + + + + redhat-release-client + + + redhat-release-workstation + + + redhat-release-server + + + redhat-release-computenode + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + + redhat-release + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + + redhat-release + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + redhat-release-virtualization-host + + + sl-release + + + sl-release + + + + sled-release + + + sles-release + + + SLES_SAP-release + + + + sled-release + + + sles-release + + + SLES_SAP-release + + + /etc/lsb-release + + + /etc/lsb-release + ^DISTRIB_ID=Ubuntu$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=xenial$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=bionic$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=focal$ + 1 + + + + /etc/os-release + ^NAME=.Wind[\s]+River[\s]+Linux.*$ + 1 + + + /etc/os-release + ^VERSION=.10\.19.*$ + 1 + + + + /etc/wrlinux-release + ^VERSION=.8\.0.*$ + 1 + + + rhosp-release + + + rhosp-release + + + rhvm-appliance + + + chrony + + + gdm + + + grub2-common + + + /sys/firmware/opal + + + libuser + + + shadow-utils + + + net-snmp + + + nss-pam-ldapd + + + ntp + + + pam + + + sssd-common + + + sudo + + + systemd + + + yum + + + s390utils-base + + + /.dockerenv + + + /run/.containerenv + + + /etc/fstab + + 1 + + + /proc/sys/kernel/osrelease + ^.*\.(.*)$ + 1 + + + + + + oval:ssg-sshd_required:var:1 + + + oval:ssg-sshd_required:var:1 + + + oval:ssg-sshd_required:var:1 + + + openssh-server + + + /etc/sssd/sssd.conf + + + /etc/sssd/sssd.conf + ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$ + 1 + + + /sys/firmware/efi + + + + + + + + + + ^/etc/usbguard/(rules|rules\.d/.*)\.conf$ + ^.*\S+.*$ + 1 + + + oval:ssg-var_accounts_user_umask_umask_as_number:var:1 + + + oval:ssg-var_removable_partition:var:1 + + + oval:ssg-var_umask_for_daemons_umask_as_number:var:1 + + + + + + + + 0 + + + 0 + + + + + + maxpoll \d+ + + + ^["]?.*-u chrony.*["]?$ + + + + + + + + + 0 + + + + + + + + + 0 + + + + + + 0 + + + + + + + + + sssd + + + + + + ^LinuxAudit$ + + + /etc/systemd/system/default.target + ^(/usr)?/lib/systemd/system/multi-user.target$ + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + + ^0$|^never$ + + + 0 + + + + + + + + + /etc/systemd/system/ctrl-alt-del.target + /dev/null + + + if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi + + + + + + + + + ^.*ocsp_on.*$ + + + + + + -1 + + + + + + + + + + + + + + + + + + x|\* + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + + + + directory + false + false + false + false + false + false + false + false + false + + + directory + false + false + false + false + false + false + false + false + false + + + + + + /home + + + true + true + true + true + true + true + true + + + true + true + + + symbolic link + + + ^[:\.] + + + :: + + + \.\. + + + [:\.]$ + + + ^[^/] + + + [^\\]:[^/] + + + + + + + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + 0 + 0 + + + 0 + 0 + + + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + + + ^\/(dev|proc|sys)\/.*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + + regular + 0 + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + + regular + 0 + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + + regular + false + false + false + false + false + false + false + + + (?=[\S\s]*\s(?i)protocol(?-i)="tcp")(?=[\S\s]*\s(?i)Target(?-i)="[^"]+?")(?=[\S\s]*\s(?i)port(?-i)="6514")(?=[\S\s]*\s(?i)StreamDriver(?-i)="gtls")(?=[\S\s]*\s(?i)StreamDriverMode(?-i)="1")(?=[\S\s]*\s(?i)StreamDriverAuthMode(?-i)="x509/name")(?=[\S\s]*\s(?i)StreamDriver\.CheckExtendedKeyPurpose(?-i)="on") + + + ResultActive=auth_admin + + + PROMISC + + + 0 + true + + + false + true + + + 1000 + true + + + 1000 + true + + + 0 + + + false + false + false + false + false + false + false + false + false + false + + + true + + + + + + true + + + + + + regular + true + + + ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ + + + ^/proc/.*$ + + + ^/sys/.*$ + + + + + + + + + true + true + + + symbolic link + + + 0 + + + 0 + + + true + true + + + symbolic link + + + true + true + + + symbolic link + + + ^.*\bnousb\b.*$ + + + ^/dev/.*$ + nodev + + + + + + ^(?i)0(?-i)$ + + + ^(?i)none(?-i)$ + + + 0 + + + 0 + + + 0 + + + + + + 1 + + + ^(block|character) special$ + + + device_t + + + unlabeled_t + + + unconfined_service_t + + + + + + + + + \blm\b + + + ^(x86_64|aarch64|ppc64le|s390x)$ + + + + + + ^false$ + + + + + + + + + + + + + + + + + + + + + /etc/crypto-policies/back-ends/krb5.config + + + ^final all$ + + + ^512M 1h$ + + + ^no$ + + + ^aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc$ + + + ^ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256$ + + + ^hmac-sha2-512,hmac-sha2-256$ + + + ^ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1$ + + + ^'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'$ + + + fips + + + ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ + + + 1 + + + fail + false + false + + + fail + + + ^yes$ + + + ^security$ + + + 5d5156ab + 12c944d0 + + + 5c6ae44d + 3c3359c4 + + + 5b6eac67 + cfc659b9 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^(?i)50(?-i)$ + + + ^(?i)yes(?-i)$ + + + ^(?i)ENRICHED(?-i)$ + + + ^(?i)hostname(?-i)$ + + + ^(?i)yes(?-i)$ + + + ^(?:.*\s)?selinux=0(?:\s.*)?$ + + + ^(?:.*\s)?selinux=0(?:\s.*)?$ + + + ^(?:.*\s)?selinux=0(?:\s.*)?$ + + + ^true$ + + + ^lock-screen$ + + + ^no$ + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + ^(?:.*\s)?audit=1(?:\s.*)?$ + + + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ + + + ^(?:.*\s)?iommu=force(?:\s.*)?$ + + + ^(?:.*\s)?ipv6\.disable=1(?:\s.*)?$ + + + ^(?:.*\s)?page_poison=1(?:\s.*)?$ + + + ^(?:.*\s)?pti=on(?:\s.*)?$ + + + ^(?:.*\s)?slub_debug=P(?:\s.*)?$ + + + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ + + + noauto + + + nodev + + + noexec + + + nosuid + + + nodev + + + noexec + + + nosuid + + + noexec + + + ^.*,?nodev,?.*$ + + + ^.*,?nodev,?.* + + + ^.*,?noexec,?.*$ + + + ^.*,?noexec,?.* + + + ^.*,?nosuid,?.*$ + + + ^.*,?nosuid,?.* + + + nosuid + + + nosuid + + + nodev + + + noexec + + + nosuid + + + nodev + + + noexec + + + nosuid + + + nodev + + + noexec + + + nosuid + + + nodev + + + noexec + + + nosuid + + + inactive + + + masked + + + /dev/null + + + auditd.service + + + auditd.socket + + + active + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + chronyd.service + + + chronyd.socket + + + active + + + cron.service + + + cron.socket + + + active + + + crond.service + + + crond.socket + + + active + + + inactive + + + masked + + + /dev/null + + + firewalld.service + + + firewalld.socket + + + active + + + ip6tables.service + + + ip6tables.socket + + + active + + + iptables.service + + + iptables.socket + + + active + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + ntp.service + + + ntp.socket + + + active + + + ntpd.service + + + ntpd.socket + + + active + + + pcscd.service + + + pcscd.socket + + + active + + + rngd.service + + + rngd.socket + + + active + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + rsyslog.service + + + rsyslog.socket + + + active + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + inactive + + + masked + + + /dev/null + + + syslogng.service + + + syslogng.socket + + + active + + + inactive + + + masked + + + /dev/null + + + usbguard.service + + + usbguard.socket + + + active + + + ^no$ + + + ^no$ + + + ^no$ + + + ^no$ + + + ^yes$ + + + ^no$ + + + ^prohibit-password$ + + + ^no$ + + + ^yes$ + + + ^no$ + + + ^no$ + + + ^yes$ + + + ^yes$ + + + ^/etc/issue$ + + + ^yes$ + + + ^yes$ + + + ^0$ + + + ^INFO$ + + + ^VERBOSE$ + + + ^yes$ + + + 1 + + + 1 + + + 0 + + + |/bin/false + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 2 + + + 65536 + + + 2 + + + 0 + + + 1 + + + 1 + + + 2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + 0 + + + 32768\s*65535 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + 65536 + + + dnf-automatic.timer + + + active + + + ^true|"true"$ + + + ^6.*$ + + + ^7.*$ + + + centos + + + 8 + + + ^7.*$ + + + ^8.*$ + + + openSUSE-release + + + ^15.*$ + + + ^42.*$ + + + unix + + + rhcos + + + 4 + + + unix + + + ^7.*$ + + + ^7.*$ + + + ^7.*$ + + + ^7.*$ + + + 7 + + + unix + + + ^8.*$ + + + 8 + + + unix + + + ^9.*$ + + + 9 + + + 0:4.4 + + + ^6.*$ + + + ^7.*$ + + + unix + + + ^12.*$ + + + ^12.*$ + + + ^12.*$ + + + unix + + + ^15.*$ + + + ^15.*$ + + + ^15.*$ + + + unix + + + unix + + + ^10.*$ + + + ^13.*$ + + + ^4.*$ + + + ^s390x$ + + + 1 + + + 2 + + + 0 + + + 0:7.4 + + + aarch64 + + + ppc64 + + + ppc64le + + + s390x + + + i686 + + + x86_64 + + + /dev/cdrom + + + + + + + + + ^[\s]*RekeyLimit[\s]+ + + [\s]+ + + [\s]*$ + + + + + + + + + + + + + + + + pam_unix(?:.*[\n](?:.*[\n]){ + + })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) + + + + + ^[^#]*pam_unix(?:.*[\n](?:.*[\n]){ + + })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) + + + + + + + + + + + + + + + + \nauth[\s]+required[\s]+pam_env.so + \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] + login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid + \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] + pam_pkcs11.so[\s]nodebug\n + + + + + \nauth[\s]+required[\s]+pam_env.so + \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] + login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid + \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] + pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n + + + + + \nauth[\s]+required[\s]+pam_env.so + \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] + pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.* + \npassword[\s]+required[\s]+pam_pkcs11.so\n + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5000 + + + + 5000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 64 + + + + 8 + + + + + + + + + + + + + + + + + + + + + + + + 64 + + + + 8 + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 64 + + + + 8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + / + + + + + + + / + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + + + + + + + + + + + + + + + + + + + 64 + + + + 8 + + + + + + + + + + + + + + + + + + + + + + + + + 64 + + + + 8 + + + + + + + + + + + + xccdf-create-ocil.xslt from SCAP Security Guide + ssg: 0.1.56 + 2.0 + 2021-05-26T00:00:00Z + + + + Prefer to use a 64-bit Operating System when supported + + ocil:ssg-prefer_64bit_os_action:testaction:1 + + + + Verify File Hashes with RPM + + ocil:ssg-rpm_verify_hashes_action:testaction:1 + + + + Verify and Correct File Permissions with RPM + + ocil:ssg-rpm_verify_permissions_action:testaction:1 + + + + Install AIDE + + ocil:ssg-package_aide_installed_action:testaction:1 + + + + Build and Test AIDE Database + + ocil:ssg-aide_build_database_action:testaction:1 + + + + Configure Periodic Execution of AIDE + + ocil:ssg-aide_periodic_cron_checking_action:testaction:1 + + + + Set kernel parameter 'crypto.fips_enabled' to 1 + + ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1 + + + + Enable FIPS Mode + + ocil:ssg-enable_fips_mode_action:testaction:1 + + + + Ensure '/etc/system-fips' exists + + ocil:ssg-etc_system_fips_exists_action:testaction:1 + + + + Enable Dracut FIPS Module + + ocil:ssg-enable_dracut_fips_module_action:testaction:1 + + + + Configure OpenSSL library to use System Crypto Policy + + ocil:ssg-configure_openssl_crypto_policy_action:testaction:1 + + + + Harden SSHD Crypto Policy + + ocil:ssg-harden_sshd_crypto_policy_action:testaction:1 + + + + Configure Libreswan to use System Crypto Policy + + ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1 + + + + Harden SSH client Crypto Policy + + ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1 + + + + Configure SSH to use System Crypto Policy + + ocil:ssg-configure_ssh_crypto_policy_action:testaction:1 + + + + Configure System Cryptography Policy + + ocil:ssg-configure_crypto_policy_action:testaction:1 + + + + Configure BIND to use System Crypto Policy + + ocil:ssg-configure_bind_crypto_policy_action:testaction:1 + + + + Configure Kerberos to use System Crypto Policy + + ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1 + + + + Install Intrusion Detection Software + + ocil:ssg-install_hids_action:testaction:1 + + + + Install Virus Scanning Software + + ocil:ssg-install_antivirus_action:testaction:1 + + + + Configure Backups of User Data + + ocil:ssg-configure_user_data_backups_action:testaction:1 + + + + Install the Host Intrusion Prevention System (HIPS) Module + + ocil:ssg-package_MFEhiplsm_installed_action:testaction:1 + + + + The Installed Operating System Is Vendor Supported + + ocil:ssg-installed_OS_is_vendor_supported_action:testaction:1 + + + + The Installed Operating System Is FIPS 140-2 Certified + + ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1 + + + + Install binutils Package + + ocil:ssg-package_binutils_installed_action:testaction:1 + + + + Install cryptsetup-luks Package + + ocil:ssg-package_cryptsetup-luks_installed_action:testaction:1 + + + + Ensure gnutls-utils is installed + + ocil:ssg-package_gnutls-utils_installed_action:testaction:1 + + + + Install libcap-ng-utils Package + + ocil:ssg-package_libcap-ng-utils_installed_action:testaction:1 + + + + Ensure nss-tools is installed + + ocil:ssg-package_nss-tools_installed_action:testaction:1 + + + + Install openscap-scanner Package + + ocil:ssg-package_openscap-scanner_installed_action:testaction:1 + + + + Install rear Package + + ocil:ssg-package_rear_installed_action:testaction:1 + + + + Install rng-tools Package + + ocil:ssg-package_rng-tools_installed_action:testaction:1 + + + + Install scap-security-guide Package + + ocil:ssg-package_scap-security-guide_installed_action:testaction:1 + + + + Install tar Package + + ocil:ssg-package_tar_installed_action:testaction:1 + + + + Install vim Package + + ocil:ssg-package_vim_installed_action:testaction:1 + + + + Uninstall abrt-addon-ccpp Package + + ocil:ssg-package_abrt-addon-ccpp_removed_action:testaction:1 + + + + Uninstall abrt-addon-kerneloops Package + + ocil:ssg-package_abrt-addon-kerneloops_removed_action:testaction:1 + + + + Uninstall abrt-addon-python Package + + ocil:ssg-package_abrt-addon-python_removed_action:testaction:1 + + + + Uninstall abrt-cli Package + + ocil:ssg-package_abrt-cli_removed_action:testaction:1 + + + + Uninstall abrt-plugin-logger Package + + ocil:ssg-package_abrt-plugin-logger_removed_action:testaction:1 + + + + Uninstall abrt-plugin-rhtsupport Package + + ocil:ssg-package_abrt-plugin-rhtsupport_removed_action:testaction:1 + + + + Uninstall abrt-plugin-sosreport Package + + ocil:ssg-package_abrt-plugin-sosreport_removed_action:testaction:1 + + + + Uninstall geolite2-city Package + + ocil:ssg-package_geolite2-city_removed_action:testaction:1 + + + + Uninstall geolite2-country Package + + ocil:ssg-package_geolite2-country_removed_action:testaction:1 + + + + Uninstall gssproxy Package + + ocil:ssg-package_gssproxy_removed_action:testaction:1 + + + + Uninstall iprutils Package + + ocil:ssg-package_iprutils_removed_action:testaction:1 + + + + Uninstall krb5-workstation Package + + ocil:ssg-package_krb5-workstation_removed_action:testaction:1 + + + + Uninstall tuned Package + + ocil:ssg-package_tuned_removed_action:testaction:1 + + + + Install sudo Package + + ocil:ssg-package_sudo_installed_action:testaction:1 + + + + Explicit arguments in sudo specifications + + ocil:ssg-sudoers_explicit_command_args_action:testaction:1 + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + + ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 + + + + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC + + ocil:ssg-sudo_add_noexec_action:testaction:1 + + + + Ensure invoking users password for privilege escalation when using sudo + + ocil:ssg-sudoers_validate_passwd_action:testaction:1 + + + + Don't target root user in the sudoers file + + ocil:ssg-sudoers_no_root_target_action:testaction:1 + + + + Only the VDSM User Can Use sudo NOPASSWD + + ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1 + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty + + ocil:ssg-sudo_add_use_pty_action:testaction:1 + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo + + ocil:ssg-sudo_require_authentication_action:testaction:1 + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty + + ocil:ssg-sudo_add_requiretty_action:testaction:1 + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + ocil:ssg-sudo_remove_nopasswd_action:testaction:1 + + + + Don't define allowed commands in sudoers by means of exclusion + + ocil:ssg-sudoers_no_command_negation_action:testaction:1 + + + + Remove the GDM Package Group + + ocil:ssg-package_gdm_removed_action:testaction:1 + + + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles + + ocil:ssg-dconf_db_up_to_date_action:testaction:1 + + + + Configure GNOME3 DConf User Profile + + ocil:ssg-enable_dconf_user_profile_action:testaction:1 + + + + Disable WIFI Network Notification in GNOME3 + + ocil:ssg-dconf_gnome_disable_wifi_notification_action:testaction:1 + + + + Disable WIFI Network Connection Creation in GNOME3 + + ocil:ssg-dconf_gnome_disable_wifi_create_action:testaction:1 + + + + Require Credential Prompting for Remote Access in GNOME3 + + ocil:ssg-dconf_gnome_remote_access_credential_prompt_action:testaction:1 + + + + Require Encryption for Remote Access in GNOME3 + + ocil:ssg-dconf_gnome_remote_access_encryption_action:testaction:1 + + + + Disable GNOME3 Automount Opening + + ocil:ssg-dconf_gnome_disable_automount_open_action:testaction:1 + + + + Disable GNOME3 Automounting + + ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 + + + + Disable All GNOME3 Thumbnailers + + ocil:ssg-dconf_gnome_disable_thumbnailers_action:testaction:1 + + + + Disable GNOME3 Automount running + + ocil:ssg-dconf_gnome_disable_autorun_action:testaction:1 + + + + Disable Power Settings in GNOME3 + + ocil:ssg-dconf_gnome_disable_power_settings_action:testaction:1 + + + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + + ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 + + + + Disable User Administration in GNOME3 + + ocil:ssg-dconf_gnome_disable_user_admin_action:testaction:1 + + + + Disable Geolocation in GNOME3 + + ocil:ssg-dconf_gnome_disable_geolocation_action:testaction:1 + + + + Ensure Users Cannot Change GNOME3 Session Idle Settings + + ocil:ssg-dconf_gnome_session_idle_user_locks_action:testaction:1 + + + + Disable Full User Name on Splash Shield + + ocil:ssg-dconf_gnome_screensaver_user_info_action:testaction:1 + + + + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation + + ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1 + + + + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period + + ocil:ssg-dconf_gnome_screensaver_lock_locked_action:testaction:1 + + + + Set GNOME3 Screensaver Inactivity Timeout + + ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 + + + + Enable GNOME3 Screensaver Idle Activation + + ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_action:testaction:1 + + + + Enable GNOME3 Screensaver Lock After Idle Period + + ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 + + + + Implement Blank Screensaver + + ocil:ssg-dconf_gnome_screensaver_mode_blank_action:testaction:1 + + + + Set GNOME3 Screensaver Lock Delay After Activation Period + + ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 + + + + Ensure Users Cannot Change GNOME3 Screensaver Settings + + ocil:ssg-dconf_gnome_screensaver_user_locks_action:testaction:1 + + + + Disable GDM Automatic Login + + ocil:ssg-gnome_gdm_disable_automatic_login_action:testaction:1 + + + + Set the GNOME3 Login Number of Failures + + ocil:ssg-dconf_gnome_login_retries_action:testaction:1 + + + + Disable XDMCP in GDM + + ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1 + + + + Disable the GNOME3 Login User List + + ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 + + + + Disable GDM Guest Login + + ocil:ssg-gnome_gdm_disable_guest_login_action:testaction:1 + + + + Enable the GNOME3 Login Smartcard Authentication + + ocil:ssg-dconf_gnome_enable_smartcard_auth_action:testaction:1 + + + + Enable the GNOME3 Screen Locking On Smartcard Removal + + ocil:ssg-dconf_gnome_lock_screen_on_smartcard_removal_action:testaction:1 + + + + Disable the GNOME3 Login Restart and Shutdown Buttons + + ocil:ssg-dconf_gnome_disable_restart_shutdown_action:testaction:1 + + + + Ensure /usr Located On Separate Partition + + ocil:ssg-partition_for_usr_action:testaction:1 + + + + Ensure /tmp Located On Separate Partition + + ocil:ssg-partition_for_tmp_action:testaction:1 + + + + Ensure /home Located On Separate Partition + + ocil:ssg-partition_for_home_action:testaction:1 + + + + Ensure /var Located On Separate Partition + + ocil:ssg-partition_for_var_action:testaction:1 + + + + Ensure /var/log Located On Separate Partition + + ocil:ssg-partition_for_var_log_action:testaction:1 + + + + Ensure /boot Located On Separate Partition + + ocil:ssg-partition_for_boot_action:testaction:1 + + + + Ensure /var/log/audit Located On Separate Partition + + ocil:ssg-partition_for_var_log_audit_action:testaction:1 + + + + Ensure /opt Located On Separate Partition + + ocil:ssg-partition_for_opt_action:testaction:1 + + + + Ensure /srv Located On Separate Partition + + ocil:ssg-partition_for_srv_action:testaction:1 + + + + Install dnf-automatic Package + + ocil:ssg-package_dnf-automatic_installed_action:testaction:1 + + + + Ensure Fedora GPG Key Installed + + ocil:ssg-ensure_fedora_gpgkey_installed_action:testaction:1 + + + + Ensure gpgcheck Enabled for All dnf Package Repositories + + ocil:ssg-ensure_gpgcheck_never_disabled_action:testaction:1 + + + + Configure dnf-automatic to Install Only Security Updates + + ocil:ssg-dnf-automatic_security_updates_only_action:testaction:1 + + + + Configure dnf-automatic to Install Available Updates Automatically + + ocil:ssg-dnf-automatic_apply_updates_action:testaction:1 + + + + Enable dnf-automatic Timer + + ocil:ssg-timer_dnf-automatic_enabled_action:testaction:1 + + + + Ensure gpgcheck Enabled In Main dnf Configuration + + ocil:ssg-ensure_gpgcheck_globally_activated_action:testaction:1 + + + + Ensure gpgcheck Enabled for Local Packages + + ocil:ssg-ensure_gpgcheck_local_packages_action:testaction:1 + + + + Verify ownership of System Login Banner + + ocil:ssg-file_owner_etc_issue_action:testaction:1 + + + + Verify permissions on Message of the Day Banner + + ocil:ssg-file_permissions_etc_motd_action:testaction:1 + + + + Verify permissions on System Login Banner + + ocil:ssg-file_permissions_etc_issue_action:testaction:1 + + + + Verify Group Ownership of System Login Banner + + ocil:ssg-file_groupowner_etc_issue_action:testaction:1 + + + + Verify ownership of Message of the Day Banner + + ocil:ssg-file_owner_etc_motd_action:testaction:1 + + + + Verify Group Ownership of Message of the Day Banner + + ocil:ssg-file_groupowner_etc_motd_action:testaction:1 + + + + Modify the System Login Banner + + ocil:ssg-banner_etc_issue_action:testaction:1 + + + + Modify the System Message of the Day Banner + + ocil:ssg-banner_etc_motd_action:testaction:1 + + + + Set the GNOME3 Login Warning Banner Text + + ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 + + + + Enable GNOME3 Login Warning Banner + + ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 + + + + Set Up a Private Namespace in PAM Configuration + + ocil:ssg-enable_pam_namespace_action:testaction:1 + + + + Ensure PAM Displays Last Logon/Access Notification + + ocil:ssg-display_login_attempts_action:testaction:1 + + + + Configure the root Account for Failed Password Attempts + + ocil:ssg-accounts_passwords_pam_faillock_deny_root_action:testaction:1 + + + + Enforce pam_faillock for Local Accounts Only + + ocil:ssg-accounts_passwords_pam_faillock_enforce_local_action:testaction:1 + + + + Set Interval For Counting Failed Password Attempts + + ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 + + + + Limit Password Reuse + + ocil:ssg-accounts_password_pam_unix_remember_action:testaction:1 + + + + Set Lockout Time for Failed Password Attempts + + ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 + + + + Set Deny For Failed Password Attempts + + ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Different Characters + + ocil:ssg-accounts_password_pam_difok_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + + ocil:ssg-accounts_password_pam_retry_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Length + + ocil:ssg-accounts_password_pam_minlen_action:testaction:1 + + + + Set Password Maximum Consecutive Repeating Characters + + ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + + ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Different Categories + + ocil:ssg-accounts_password_pam_minclass_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Digit Characters + + ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + + ocil:ssg-accounts_password_pam_maxclassrepeat_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Special Characters + + ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Enforce for root User + + ocil:ssg-accounts_password_pam_enforce_root_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + + ocil:ssg-accounts_password_pam_enforce_local_action:testaction:1 + + + + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + + ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 + + + + Set Password Hashing Algorithm in /etc/login.defs + + ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 + + + + Set PAM's Password Hashing Algorithm + + ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 + + + + Set Password Hashing Algorithm in /etc/libuser.conf + + ocil:ssg-set_password_hashing_algorithm_libuserconf_action:testaction:1 + + + + Disable debug-shell SystemD Service + + ocil:ssg-service_debug-shell_disabled_action:testaction:1 + + + + Require Authentication for Emergency Systemd Target + + ocil:ssg-require_emergency_target_auth_action:testaction:1 + + + + Disable Ctrl-Alt-Del Reboot Activation + + ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 + + + + Require Authentication for Single User Mode + + ocil:ssg-require_singleuser_auth_action:testaction:1 + + + + Verify that Interactive Boot is Disabled + + ocil:ssg-grub2_disable_interactive_boot_action:testaction:1 + + + + Install the opensc Package For Multifactor Authentication + + ocil:ssg-package_opensc_installed_action:testaction:1 + + + + Install the pcsc-lite package + + ocil:ssg-package_pcsc-lite_installed_action:testaction:1 + + + + Enable the pcscd Service + + ocil:ssg-service_pcscd_enabled_action:testaction:1 + + + + Install Smart Card Packages For Multifactor Authentication + + ocil:ssg-install_smartcard_packages_action:testaction:1 + + + + Enable Smart Card Login + + ocil:ssg-smartcard_auth_action:testaction:1 + + + + Force opensc To Use Defined Smart Card Driver + + ocil:ssg-force_opensc_card_drivers_action:testaction:1 + + + + Configure NSS DB To Use opensc + + ocil:ssg-configure_opensc_nss_db_action:testaction:1 + + + + Configure opensc Smart Card Drivers + + ocil:ssg-configure_opensc_card_drivers_action:testaction:1 + + + + Install the screen Package + + ocil:ssg-package_screen_installed_action:testaction:1 + + + + Install the tmux Package + + ocil:ssg-package_tmux_installed_action:testaction:1 + + + + Prevent user from disabling the screen lock + + ocil:ssg-no_tmux_in_shells_action:testaction:1 + + + + Configure the tmux Lock Command + + ocil:ssg-configure_tmux_lock_command_action:testaction:1 + + + + Configure tmux to lock session after inactivity + + ocil:ssg-configure_tmux_lock_after_time_action:testaction:1 + + + + Support session locking with tmux + + ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1 + + + + Set Password Warning Age + + ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 + + + + Set Password Minimum Age + + ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 + + + + Set Password Maximum Age + + ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 + + + + Set Password Minimum Length in login.defs + + ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1 + + + + Enforce usage of pam_wheel for su authentication + + ocil:ssg-use_pam_wheel_for_su_action:testaction:1 + + + + Restrict Virtual Console Root Logins + + ocil:ssg-securetty_root_login_console_only_action:testaction:1 + + + + Restrict Serial Port Root Logins + + ocil:ssg-restrict_serial_port_logins_action:testaction:1 + + + + Ensure that System Accounts Do Not Run a Shell Upon Login + + ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 + + + + Direct root Logins Not Allowed + + ocil:ssg-no_direct_root_logins_action:testaction:1 + + + + Verify Only Root Has UID 0 + + ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 + + + + Restrict Web Browser Use for Administrative Accounts + + ocil:ssg-no_root_webbrowsing_action:testaction:1 + + + + Ensure that System Accounts Are Locked + + ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1 + + + + Root Path Must Be Vendor Default + + ocil:ssg-root_path_default_action:testaction:1 + + + + All GIDs referenced in /etc/passwd must be defined in /etc/group + + ocil:ssg-gid_passwd_group_same_action:testaction:1 + + + + Ensure there are no legacy + NIS entries in /etc/shadow + + ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1 + + + + Verify No netrc Files Exist + + ocil:ssg-no_netrc_files_action:testaction:1 + + + + Verify All Account Password Hashes are Shadowed + + ocil:ssg-accounts_password_all_shadowed_action:testaction:1 + + + + Prevent Login to Accounts With Empty Password + + ocil:ssg-no_empty_passwords_action:testaction:1 + + + + Set number of Password Hashing Rounds - password-auth + + ocil:ssg-accounts_password_pam_unix_rounds_password_auth_action:testaction:1 + + + + Ensure there are no legacy + NIS entries in /etc/passwd + + ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1 + + + + Set number of Password Hashing Rounds - system-auth + + ocil:ssg-accounts_password_pam_unix_rounds_system_auth_action:testaction:1 + + + + Ensure there are no legacy + NIS entries in /etc/group + + ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1 + + + + Assign Expiration Date to Temporary Accounts + + ocil:ssg-account_temp_expire_date_action:testaction:1 + + + + Use Centralized and Automated Authentication + + ocil:ssg-account_use_centralized_automated_auth_action:testaction:1 + + + + Set Account Expiration Following Inactivity + + ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 + + + + Ensure All Accounts on the System Have Unique Names + + ocil:ssg-account_unique_name_action:testaction:1 + + + + Configure Polyinstantiation of /tmp Directories + + ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1 + + + + Ensure the Logon Failure Delay is Set Correctly in login.defs + + ocil:ssg-accounts_logon_fail_delay_action:testaction:1 + + + + Limit the Number of Concurrent Login Sessions Allowed Per User + + ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 + + + + Ensure that User Home Directories are not Group-Writable or World-Readable + + ocil:ssg-file_permissions_home_dirs_action:testaction:1 + + + + Ensure Home Directories are Created for New Users + + ocil:ssg-accounts_have_homedir_login_defs_action:testaction:1 + + + + Configure Polyinstantiation of /var/tmp Directories + + ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1 + + + + Set Interactive Session Timeout + + ocil:ssg-accounts_tmout_action:testaction:1 + + + + Ensure that Root's Path Does Not Include World or Group-Writable Directories + + ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 + + + + Ensure the Default Umask is Set Correctly in login.defs + + ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 + + + + Ensure the Default Umask is Set Correctly in /etc/profile + + ocil:ssg-accounts_umask_etc_profile_action:testaction:1 + + + + Install audispd-plugins Package + + ocil:ssg-package_audispd-plugins_installed_action:testaction:1 + + + + Ensure the default plugins for the audit dispatcher are Installed + + ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1 + + + + Ensure the audit Subsystem is Installed + + ocil:ssg-package_audit_installed_action:testaction:1 + + + + Enable auditd Service + + ocil:ssg-service_auditd_enabled_action:testaction:1 + + + + Extend Audit Backlog Limit for the Audit Daemon + + ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 + + + + Enable Auditing for Processes Which Start Prior to the Audit Daemon + + ocil:ssg-grub2_audit_argument_action:testaction:1 + + + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow + + ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1 + + + + Record Events that Modify User/Group Information via open syscall - /etc/shadow + + ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1 + + + + Ensure auditd Collects System Administrator Actions + + ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 + + + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd + + ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1 + + + + Record Events that Modify User/Group Information - /etc/shadow + + ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 + + + + Record Access Events to Audit Log Directory + + ocil:ssg-directory_access_var_log_audit_action:testaction:1 + + + + Record Events that Modify User/Group Information - /etc/group + + ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 + + + + System Audit Logs Must Be Owned By Root + + ocil:ssg-file_ownership_var_log_audit_action:testaction:1 + + + + Record Events that Modify the System's Network Environment + + ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 + + + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow + + ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1 + + + + Record Events that Modify User/Group Information via open syscall - /etc/passwd + + ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1 + + + + Ensure auditd Collects Information on Exporting to Media (successful) + + ocil:ssg-audit_rules_media_export_action:testaction:1 + + + + Record Events that Modify User/Group Information - /etc/security/opasswd + + ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 + + + + System Audit Logs Must Have Mode 0750 or Less Permissive + + ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 + + + + Record Events that Modify User/Group Information - /etc/passwd + + ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 + + + + Record Events that Modify User/Group Information + + ocil:ssg-audit_rules_usergroup_modification_action:testaction:1 + + + + Record Events that Modify User/Group Information via open syscall - /etc/group + + ocil:ssg-audit_rules_etc_group_open_action:testaction:1 + + + + Record Events that Modify User/Group Information - /etc/gshadow + + ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 + + + + System Audit Logs Must Have Mode 0640 or Less Permissive + + ocil:ssg-file_permissions_var_log_audit_action:testaction:1 + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + + ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1 + + + + Record Events that Modify User/Group Information via openat syscall - /etc/group + + ocil:ssg-audit_rules_etc_group_openat_action:testaction:1 + + + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + + ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1 + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + + ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1 + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + + ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1 + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + + ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1 + + + + Record Events that Modify the System's Mandatory Access Controls + + ocil:ssg-audit_rules_mac_modification_action:testaction:1 + + + + Record Successful Access Attempts to Files - ftruncate + + ocil:ssg-audit_rules_successful_file_modification_ftruncate_action:testaction:1 + + + + Record Successful Permission Changes to Files - lsetxattr + + ocil:ssg-audit_rules_successful_file_modification_lsetxattr_action:testaction:1 + + + + Record Successful Access Attempts to Files - openat + + ocil:ssg-audit_rules_successful_file_modification_openat_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - lsetxattr + + ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1 + + + + Record Unsuccessful Access Attempts to Files - truncate + + ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 + + + + Record Successful Permission Changes to Files - fchmod + + ocil:ssg-audit_rules_successful_file_modification_fchmod_action:testaction:1 + + + + Record Successful Access Attempts to Files - creat + + ocil:ssg-audit_rules_successful_file_modification_creat_action:testaction:1 + + + + Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT + + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + + + + Record Successful Permission Changes to Files - fremovexattr + + ocil:ssg-audit_rules_successful_file_modification_fremovexattr_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - setxattr + + ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1 + + + + Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 + + + + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1 + + + + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1 + + + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1 + + + + Record Successful Ownership Changes to Files - chown + + ocil:ssg-audit_rules_successful_file_modification_chown_action:testaction:1 + + + + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1 + + + + Record Unsuccessul Ownership Changes to Files - fchownat + + ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - chmod + + ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1 + + + + Record Successful Access Attempts to Files - open + + ocil:ssg-audit_rules_successful_file_modification_open_action:testaction:1 + + + + Record Unsuccessul Delete Attempts to Files - unlink + + ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1 + + + + Record Successful Delete Attempts to Files - rename + + ocil:ssg-audit_rules_successful_file_modification_rename_action:testaction:1 + + + + Record Unsuccessul Ownership Changes to Files - chown + + ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1 + + + + Record Successful Delete Attempts to Files - unlinkat + + ocil:ssg-audit_rules_successful_file_modification_unlinkat_action:testaction:1 + + + + Record Successful Creation Attempts to Files - openat O_CREAT + + ocil:ssg-audit_rules_successful_file_modification_openat_o_creat_action:testaction:1 + + + + Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + + ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1 + + + + Record Successful Permission Changes to Files - setxattr + + ocil:ssg-audit_rules_successful_file_modification_setxattr_action:testaction:1 + + + + Record Successful Ownership Changes to Files - lchown + + ocil:ssg-audit_rules_successful_file_modification_lchown_action:testaction:1 + + + + Record Unsuccessful Access Attempts to Files - open + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 + + + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1 + + + + Record Unsuccessful Access Attempts to Files - ftruncate + + ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - removexattr + + ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1 + + + + Record Successful Access Attempts to Files - truncate + + ocil:ssg-audit_rules_successful_file_modification_truncate_action:testaction:1 + + + + Record Successful Creation Attempts to Files - open O_TRUNC_WRITE + + ocil:ssg-audit_rules_successful_file_modification_open_o_trunc_write_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - fchmod + + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1 + + + + Record Successful Delete Attempts to Files - unlink + + ocil:ssg-audit_rules_successful_file_modification_unlink_action:testaction:1 + + + + Record Unsuccessul Ownership Changes to Files - lchown + + ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1 + + + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT + + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1 + + + + Record Successful Permission Changes to Files - fchmodat + + ocil:ssg-audit_rules_successful_file_modification_fchmodat_action:testaction:1 + + + + Record Successful Permission Changes to Files - fsetxattr + + ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1 + + + + Record Successful Access Attempts to Files - open_by_handle_at + + ocil:ssg-audit_rules_successful_file_modification_open_by_handle_at_action:testaction:1 + + + + Record Unsuccessul Delete Attempts to Files - renameat + + ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1 + + + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1 + + + + Record Unsuccessful Access Attempts to Files - openat + + ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 + + + + Record Unsuccessful Creation Attempts to Files - open O_CREAT + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1 + + + + Record Successful Ownership Changes to Files - fchownat + + ocil:ssg-audit_rules_successful_file_modification_fchownat_action:testaction:1 + + + + Record Successful Creation Attempts to Files - open O_CREAT + + ocil:ssg-audit_rules_successful_file_modification_open_o_creat_action:testaction:1 + + + + Record Successful Delete Attempts to Files - renameat + + ocil:ssg-audit_rules_successful_file_modification_renameat_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - fremovexattr + + ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1 + + + + Record Unsuccessul Ownership Changes to Files - fchown + + ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1 + + + + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1 + + + + Record Unsuccessful Access Attempts to Files - open_by_handle_at + + ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - lremovexattr + + ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1 + + + + Record Successful Permission Changes to Files - chmod + + ocil:ssg-audit_rules_successful_file_modification_chmod_action:testaction:1 + + + + Record Successful Permission Changes to Files - removexattr + + ocil:ssg-audit_rules_successful_file_modification_removexattr_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - fsetxattr + + ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1 + + + + Record Unsuccessful Access Attempts to Files - creat + + ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 + + + + Record Successful Ownership Changes to Files - fchown + + ocil:ssg-audit_rules_successful_file_modification_fchown_action:testaction:1 + + + + Record Unsuccessul Permission Changes to Files - fchmodat + + ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1 + + + + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) + + ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1 + + + + Record Successful Permission Changes to Files - lremovexattr + + ocil:ssg-audit_rules_successful_file_modification_lremovexattr_action:testaction:1 + + + + Record Unsuccessul Delete Attempts to Files - rename + + ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1 + + + + Record Unsuccessul Delete Attempts to Files - unlinkat + + ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1 + + + + Ensure auditd Collects File Deletion Events by User + + ocil:ssg-audit_rules_file_deletion_events_action:testaction:1 + + + + Ensure auditd Collects File Deletion Events by User - rmdir + + ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 + + + + Ensure auditd Collects File Deletion Events by User - unlink + + ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 + + + + Ensure auditd Collects File Deletion Events by User - renameat + + ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 + + + + Ensure auditd Collects File Deletion Events by User - rename + + ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 + + + + Ensure auditd Collects File Deletion Events by User - unlinkat + + ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 + + + + Record Attempts to Alter Logon and Logout Events - faillock + + ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 + + + + Record Attempts to Alter Logon and Logout Events - tallylog + + ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1 + + + + Record Attempts to Alter Logon and Logout Events - lastlog + + ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 + + + + Record Attempts to Alter Time Through stime + + ocil:ssg-audit_rules_time_stime_action:testaction:1 + + + + Record Attempts to Alter Time Through clock_settime + + ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 + + + + Record Attempts to Alter the localtime File + + ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 + + + + Record attempts to alter time through adjtimex + + ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 + + + + Record attempts to alter time through settimeofday + + ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + + ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + + ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + + ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - umount + + ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + + ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chage + + ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh + + ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + + ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + + ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands + + ocil:ssg-audit_rules_privileged_commands_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo + + ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - at + + ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + + ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + + ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - su + + ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + + ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1 + + + + Ensure auditd Collects Information on the Use of Privileged Commands - mount + + ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading + + ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1 + + + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module + + ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 + + + + Ensure auditd Collects Information on Kernel Module Loading - init_module + + ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + + ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 + + + + Record Any Attempts to Run setsebool + + ocil:ssg-audit_rules_execution_setsebool_action:testaction:1 + + + + Record Any Attempts to Run chcon + + ocil:ssg-audit_rules_execution_chcon_action:testaction:1 + + + + Record Any Attempts to Run semanage + + ocil:ssg-audit_rules_execution_semanage_action:testaction:1 + + + + Record Any Attempts to Run restorecon + + ocil:ssg-audit_rules_execution_restorecon_action:testaction:1 + + + + Record Any Attempts to Run seunshare + + ocil:ssg-audit_rules_execution_seunshare_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - setxattr + + ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr + + ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - umount2 + + ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - removexattr + + ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - fchmodat + + ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr + + ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - fchownat + + ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - chmod + + ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - umount + + ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - lchown + + ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - chown + + ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - fchmod + + ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 + + + + Record Events that Modify the System's Discretionary Access Controls - fchown + + ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 + + + + Configure audispd Plugin To Send Logs To Remote Server + + ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 + + + + Encrypt Audit Records Sent With audispd Plugin + + ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1 + + + + Configure auditd mail_acct Action on Low Disk Space + + ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 + + + + Set number of records to cause an explicit flush to audit logs + + ocil:ssg-auditd_freq_action:testaction:1 + + + + Configure auditd Max Log File Size + + ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 + + + + Configure auditd Disk Full Action when Disk Space Is Full + + ocil:ssg-auditd_data_disk_full_action_action:testaction:1 + + + + Configure auditd flush priority + + ocil:ssg-auditd_data_retention_flush_action:testaction:1 + + + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 + + + + Set hostname as computer node name in audit logs + + ocil:ssg-auditd_name_format_action:testaction:1 + + + + Resolve information before writing to audit logs + + ocil:ssg-auditd_log_format_action:testaction:1 + + + + Configure auditd space_left Action on Low Disk Space + + ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 + + + + Configure auditd Disk Error Action on Disk Error + + ocil:ssg-auditd_data_disk_error_action_action:testaction:1 + + + + Configure auditd Number of Logs Retained + + ocil:ssg-auditd_data_retention_num_logs_action:testaction:1 + + + + Configure auditd to use audispd's syslog plugin + + ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1 + + + + Write Audit Logs to the Disk + + ocil:ssg-auditd_write_logs_action:testaction:1 + + + + Configure auditd admin_space_left Action on Low Disk Space + + ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 + + + + Include Local Events in Audit Logs + + ocil:ssg-auditd_local_events_action:testaction:1 + + + + Disable the Automounter + + ocil:ssg-service_autofs_disabled_action:testaction:1 + + + + Disable Modprobe Loading of USB Storage Driver + + ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 + + + + Disable Mounting of cramfs + + ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 + + + + Disable storing core dumps + + ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1 + + + + Disallow kernel profiling by unprivileged users + + ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1 + + + + Disable loading and unloading of kernel modules + + ocil:ssg-sysctl_kernel_modules_disabled_action:testaction:1 + + + + Disable Kernel Image Loading + + ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1 + + + + Restrict usage of ptrace to descendant processes + + ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 + + + + Prevent applications from mapping low portion of virtual memory + + ocil:ssg-sysctl_vm_mmap_min_addr_action:testaction:1 + + + + Harden the operation of the BPF just-in-time compiler + + ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1 + + + + Disable the use of user namespaces + + ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1 + + + + Configure maximum number of process identifiers + + ocil:ssg-sysctl_kernel_pid_max_action:testaction:1 + + + + Restrict Access to Kernel Message Buffer + + ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1 + + + + Limit sampling frequency of the Perf system + + ocil:ssg-sysctl_kernel_perf_event_max_sample_rate_action:testaction:1 + + + + Limit CPU consumption of the Perf system + + ocil:ssg-sysctl_kernel_perf_cpu_time_max_percent_action:testaction:1 + + + + Disallow magic SysRq key + + ocil:ssg-sysctl_kernel_sysrq_action:testaction:1 + + + + Enable page allocator poisoning + + ocil:ssg-grub2_page_poison_argument_action:testaction:1 + + + + Enable SLUB/SLAB allocator poisoning + + ocil:ssg-grub2_slub_debug_argument_action:testaction:1 + + + + Disable acquiring, saving, and processing core dumps + + ocil:ssg-service_systemd-coredump_disabled_action:testaction:1 + + + + Disable storing core dump + + ocil:ssg-coredump_disable_storage_action:testaction:1 + + + + Disable Core Dumps for All Users + + ocil:ssg-disable_users_coredumps_action:testaction:1 + + + + Disable core dump backtraces + + ocil:ssg-coredump_disable_backtraces_action:testaction:1 + + + + Disable Core Dumps for SUID programs + + ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 + + + + Restrict Exposed Kernel Pointer Addresses Access + + ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1 + + + + Enable ExecShield via sysctl + + ocil:ssg-sysctl_kernel_exec_shield_action:testaction:1 + + + + Enable Randomized Layout of Virtual Address Space + + ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 + + + + Set Daemon Umask + + ocil:ssg-umask_for_daemons_action:testaction:1 + + + + Verify that local System.map file (if exists) is readable only by root + + ocil:ssg-file_permissions_systemmap_action:testaction:1 + + + + Ensure All World-Writable Directories Are Owned by a System Account + + ocil:ssg-dir_perms_world_writable_system_owned_action:testaction:1 + + + + Ensure All World-Writable Directories Are Group Owned by a System Account + + ocil:ssg-dir_perms_world_writable_system_owned_group_action:testaction:1 + + + + Ensure No World-Writable Files Exist + + ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 + + + + Ensure All Files Are Owned by a User + + ocil:ssg-no_files_unowned_by_user_action:testaction:1 + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 + + + + Ensure All SGID Executables Are Authorized + + ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1 + + + + Ensure All Files Are Owned by a Group + + ocil:ssg-file_permissions_ungroupowned_action:testaction:1 + + + + Ensure All World-Writable Directories Are Owned by root user + + ocil:ssg-dir_perms_world_writable_root_owned_action:testaction:1 + + + + Ensure All SUID Executables Are Authorized + + ocil:ssg-file_permissions_unauthorized_suid_action:testaction:1 + + + + Verify that All World-Writable Directories Have Sticky Bits Set + + ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 + + + + Verify that Shared Library Directories Have Restrictive Permissions + + ocil:ssg-dir_permissions_library_dirs_action:testaction:1 + + + + Verify that System Executables Have Restrictive Permissions + + ocil:ssg-file_permissions_binary_dirs_action:testaction:1 + + + + Verify that Shared Library Files Have Restrictive Permissions + + ocil:ssg-file_permissions_library_dirs_action:testaction:1 + + + + Verify that System Executables Have Root Ownership + + ocil:ssg-file_ownership_binary_dirs_action:testaction:1 + + + + Verify that Shared Library Files Have Root Ownership + + ocil:ssg-file_ownership_library_dirs_action:testaction:1 + + + + Verify Group Who Owns /var/log Directory + + ocil:ssg-file_groupowner_var_log_action:testaction:1 + + + + Verify User Who Owns /var/log Directory + + ocil:ssg-file_owner_var_log_action:testaction:1 + + + + Verify Group Who Owns /var/log/messages File + + ocil:ssg-file_groupowner_var_log_messages_action:testaction:1 + + + + Verify Permissions on /var/log/messages File + + ocil:ssg-file_permissions_var_log_messages_action:testaction:1 + + + + Verify Permissions on /var/log Directory + + ocil:ssg-file_permissions_var_log_action:testaction:1 + + + + Verify User Who Owns /var/log/messages File + + ocil:ssg-file_owner_var_log_messages_action:testaction:1 + + + + Verify User Who Owns Backup group File + + ocil:ssg-file_owner_backup_etc_group_action:testaction:1 + + + + Verify Group Who Owns Backup gshadow File + + ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 + + + + Verify Group Who Owns passwd File + + ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 + + + + Verify Group Who Owns gshadow File + + ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 + + + + Verify Permissions on passwd File + + ocil:ssg-file_permissions_etc_passwd_action:testaction:1 + + + + Verify Permissions on shadow File + + ocil:ssg-file_permissions_etc_shadow_action:testaction:1 + + + + Verify Group Who Owns group File + + ocil:ssg-file_groupowner_etc_group_action:testaction:1 + + + + Verify User Who Owns group File + + ocil:ssg-file_owner_etc_group_action:testaction:1 + + + + Verify Permissions on Backup shadow File + + ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1 + + + + Verify Permissions on group File + + ocil:ssg-file_permissions_etc_group_action:testaction:1 + + + + Verify Group Who Owns Backup group File + + ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 + + + + Verify Group Who Owns Backup shadow File + + ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1 + + + + Verify User Who Owns passwd File + + ocil:ssg-file_owner_etc_passwd_action:testaction:1 + + + + Verify User Who Owns Backup shadow File + + ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1 + + + + Verify Permissions on Backup passwd File + + ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 + + + + Verify User Who Owns Backup gshadow File + + ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 + + + + Verify User Who Owns gshadow File + + ocil:ssg-file_owner_etc_gshadow_action:testaction:1 + + + + Verify Permissions on Backup group File + + ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 + + + + Verify Permissions on gshadow File + + ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 + + + + Verify Group Who Owns shadow File + + ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 + + + + Verify User Who Owns Backup passwd File + + ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1 + + + + Verify Group Who Owns Backup passwd File + + ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1 + + + + Verify Permissions on Backup gshadow File + + ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1 + + + + Verify User Who Owns shadow File + + ocil:ssg-file_owner_etc_shadow_action:testaction:1 + + + + Add nodev Option to /dev/shm + + ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1 + + + + Add noexec Option to Removable Media Partitions + + ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1 + + + + Add noexec Option to /var/log + + ocil:ssg-mount_option_var_log_noexec_action:testaction:1 + + + + Add nodev Option to /tmp + + ocil:ssg-mount_option_tmp_nodev_action:testaction:1 + + + + Add nodev Option to Non-Root Local Partitions + + ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1 + + + + Add nodev Option to /var/log/audit + + ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1 + + + + Add noauto Option to /boot + + ocil:ssg-mount_option_boot_noauto_action:testaction:1 + + + + Add nosuid Option to /opt + + ocil:ssg-mount_option_opt_nosuid_action:testaction:1 + + + + Add nosuid Option to /boot + + ocil:ssg-mount_option_boot_nosuid_action:testaction:1 + + + + Add nosuid Option to /tmp + + ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 + + + + Add noexec Option to /var/log/audit + + ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1 + + + + Add nosuid Option to /dev/shm + + ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1 + + + + Add noexec Option to /tmp + + ocil:ssg-mount_option_tmp_noexec_action:testaction:1 + + + + Add nosuid Option to /var + + ocil:ssg-mount_option_var_nosuid_action:testaction:1 + + + + Add nodev Option to /var/log + + ocil:ssg-mount_option_var_log_nodev_action:testaction:1 + + + + Add nodev Option to /var + + ocil:ssg-mount_option_var_nodev_action:testaction:1 + + + + Add noexec Option to /boot + + ocil:ssg-mount_option_boot_noexec_action:testaction:1 + + + + Add noexec Option to /home + + ocil:ssg-mount_option_home_noexec_action:testaction:1 + + + + Add noexec Option to /var + + ocil:ssg-mount_option_var_noexec_action:testaction:1 + + + + Add nodev Option to /boot + + ocil:ssg-mount_option_boot_nodev_action:testaction:1 + + + + Add nosuid Option to /srv + + ocil:ssg-mount_option_srv_nosuid_action:testaction:1 + + + + Add noexec Option to /dev/shm + + ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1 + + + + Add nosuid Option to /var/log + + ocil:ssg-mount_option_var_log_nosuid_action:testaction:1 + + + + Add nosuid Option to /var/log/audit + + ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1 + + + + Ensure rsyslog-gnutls is installed + + ocil:ssg-package_rsyslog-gnutls_installed_action:testaction:1 + + + + Ensure rsyslog is Installed + + ocil:ssg-package_rsyslog_installed_action:testaction:1 + + + + Enable rsyslog Service + + ocil:ssg-service_rsyslog_enabled_action:testaction:1 + + + + Ensure syslog-ng is Installed + + ocil:ssg-package_syslogng_installed_action:testaction:1 + + + + Enable syslog-ng Service + + ocil:ssg-service_syslogng_enabled_action:testaction:1 + + + + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server + + ocil:ssg-rsyslog_nolisten_action:testaction:1 + + + + Ensure Logrotate Runs Periodically + + ocil:ssg-ensure_logrotate_activated_action:testaction:1 + + + + Configure TLS for rsyslog remote logging + + ocil:ssg-rsyslog_remote_tls_action:testaction:1 + + + + Ensure Logs Sent To Remote Host + + ocil:ssg-rsyslog_remote_loghost_action:testaction:1 + + + + Configure CA certificate for rsyslog remote logging + + ocil:ssg-rsyslog_remote_tls_cacert_action:testaction:1 + + + + Ensure Log Files Are Owned By Appropriate User + + ocil:ssg-rsyslog_files_ownership_action:testaction:1 + + + + Ensure cron Is Logging To Rsyslog + + ocil:ssg-rsyslog_cron_logging_action:testaction:1 + + + + Ensure Log Files Are Owned By Appropriate Group + + ocil:ssg-rsyslog_files_groupownership_action:testaction:1 + + + + Ensure System Log Files Have Correct Permissions + + ocil:ssg-rsyslog_files_permissions_action:testaction:1 + + + + Ensure System is Not Acting as a Network Sniffer + + ocil:ssg-network_sniffer_disabled_action:testaction:1 + + + + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + ocil:ssg-network_nmcli_permissions_action:testaction:1 + + + + Disable RDS Support + + ocil:ssg-kernel_module_rds_disabled_action:testaction:1 + + + + Disable IEEE 1394 (FireWire) Support + + ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1 + + + + Disable TIPC Support + + ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 + + + + Disable DCCP Support + + ocil:ssg-kernel_module_dccp_disabled_action:testaction:1 + + + + Disable ATM Support + + ocil:ssg-kernel_module_atm_disabled_action:testaction:1 + + + + Disable CAN Support + + ocil:ssg-kernel_module_can_disabled_action:testaction:1 + + + + Disable Bluetooth Service + + ocil:ssg-service_bluetooth_disabled_action:testaction:1 + + + + Disable Bluetooth Kernel Module + + ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1 + + + + Deactivate Wireless Network Interfaces + + ocil:ssg-wireless_disable_interfaces_action:testaction:1 + + + + Install iptables Package + + ocil:ssg-package_iptables_installed_action:testaction:1 + + + + Set Default iptables Policy for Incoming Packets + + ocil:ssg-set_iptables_default_rule_action:testaction:1 + + + + Set Default iptables Policy for Forwarded Packets + + ocil:ssg-set_iptables_default_rule_forward_action:testaction:1 + + + + Verify ip6tables Enabled if Using IPv6 + + ocil:ssg-service_ip6tables_enabled_action:testaction:1 + + + + Verify iptables Enabled + + ocil:ssg-service_iptables_enabled_action:testaction:1 + + + + Set Default ip6tables Policy for Incoming Packets + + ocil:ssg-set_ip6tables_default_rule_action:testaction:1 + + + + Install libreswan Package + + ocil:ssg-package_libreswan_installed_action:testaction:1 + + + + Verify Any Configured IPSec Tunnel Connections + + ocil:ssg-libreswan_approved_tunnels_action:testaction:1 + + + + Verify firewalld Enabled + + ocil:ssg-service_firewalld_enabled_action:testaction:1 + + + + Set Default firewalld Zone for Incoming Packets + + ocil:ssg-set_firewalld_default_zone_action:testaction:1 + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 + + + + Set Kernel Parameter to Increase Local Port Range + + ocil:ssg-sysctl_net_ipv4_ip_local_port_range_action:testaction:1 + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 + + + + Disable IPv6 Networking Support Automatic Loading + + ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1 + + + + Disable IPv6 Networking Support Automatic Loading + + ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1 + + + + Ensure IPv6 is disabled through kernel boot parameter + + ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1 + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_all_max_addresses_action:testaction:1 + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1 + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1 + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + ocil:ssg-sysctl_net_ipv6_conf_default_router_solicitations_action:testaction:1 + + + + Configure Auto Configuration on All IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_all_autoconf_action:testaction:1 + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_all_router_solicitations_action:testaction:1 + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_defrtr_action:testaction:1 + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_defrtr_action:testaction:1 + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + ocil:ssg-sysctl_net_ipv6_conf_default_autoconf_action:testaction:1 + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_action:testaction:1 + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_pinfo_action:testaction:1 + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + ocil:ssg-sysctl_net_ipv6_conf_default_max_addresses_action:testaction:1 + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 + + + + Install libselinux Package + + ocil:ssg-package_libselinux_installed_action:testaction:1 + + + + Install policycoreutils Package + + ocil:ssg-package_policycoreutils_installed_action:testaction:1 + + + + Uninstall setroubleshoot-plugins Package + + ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1 + + + + Uninstall setroubleshoot-server Package + + ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1 + + + + Ensure SELinux Not Disabled in /etc/default/grub + + ocil:ssg-grub2_enable_selinux_action:testaction:1 + + + + Ensure SELinux State is Enforcing + + ocil:ssg-selinux_state_action:testaction:1 + + + + Ensure SELinux Not Disabled in the kernel arguments + + ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1 + + + + Ensure No Daemons are Unconfined by SELinux + + ocil:ssg-selinux_confinement_of_daemons_action:testaction:1 + + + + Configure SELinux Policy + + ocil:ssg-selinux_policytype_action:testaction:1 + + + + Ensure No Device Files are Unlabeled by SELinux + + ocil:ssg-selinux_all_devicefiles_labeled_action:testaction:1 + + + + Disable vsyscalls + + ocil:ssg-grub2_vsyscall_argument_action:testaction:1 + + + + Enable Kernel Page-Table Isolation (KPTI) + + ocil:ssg-grub2_pti_argument_action:testaction:1 + + + + Verify the UEFI Boot Loader grub.cfg Permissions + + ocil:ssg-file_permissions_efi_grub2_cfg_action:testaction:1 + + + + Set the UEFI Boot Loader Password + + ocil:ssg-grub2_uefi_password_action:testaction:1 + + + + Verify the UEFI Boot Loader grub.cfg User Ownership + + ocil:ssg-file_owner_efi_grub2_cfg_action:testaction:1 + + + + Set the UEFI Boot Loader Admin Username to a Non-Default Value + + ocil:ssg-grub2_uefi_admin_username_action:testaction:1 + + + + Verify the UEFI Boot Loader grub.cfg Group Ownership + + ocil:ssg-file_groupowner_efi_grub2_cfg_action:testaction:1 + + + + Set Boot Loader Password in grub2 + + ocil:ssg-grub2_password_action:testaction:1 + + + + Verify /boot/grub2/grub.cfg Group Ownership + + ocil:ssg-file_groupowner_grub2_cfg_action:testaction:1 + + + + Verify /boot/grub2/grub.cfg User Ownership + + ocil:ssg-file_owner_grub2_cfg_action:testaction:1 + + + + Verify /boot/grub2/grub.cfg Permissions + + ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 + + + + Set the Boot Loader Admin Username to a Non-Default Value + + ocil:ssg-grub2_admin_username_action:testaction:1 + + + + Enable cron Service + + ocil:ssg-service_cron_enabled_action:testaction:1 + + + + Enable cron Service + + ocil:ssg-service_crond_enabled_action:testaction:1 + + + + Disable At Service (atd) + + ocil:ssg-service_atd_disabled_action:testaction:1 + + + + Disable anacron Service + + ocil:ssg-disable_anacron_action:testaction:1 + + + + Uninstall Sendmail Package + + ocil:ssg-package_sendmail_removed_action:testaction:1 + + + + Configure System to Forward All Mail For The Root Account + + ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1 + + + + Configure System to Forward All Mail through a specific host + + ocil:ssg-postfix_client_configure_relayhost_action:testaction:1 + + + + Uninstall net-snmp Package + + ocil:ssg-package_net-snmp_removed_action:testaction:1 + + + + Ensure SNMP Read Write is disabled + + ocil:ssg-snmpd_no_rwusers_action:testaction:1 + + + + Ensure Default SNMP Password Is Not Used + + ocil:ssg-snmpd_not_default_password_action:testaction:1 + + + + Configure SNMP Service to Use Only SNMPv3 or Newer + + ocil:ssg-snmpd_use_newer_protocol_action:testaction:1 + + + + Install fapolicyd Package + + ocil:ssg-package_fapolicyd_installed_action:testaction:1 + + + + Uninstall nfs-utils Package + + ocil:ssg-package_nfs-utils_removed_action:testaction:1 + + + + Disable Network File System (nfs) + + ocil:ssg-service_nfs_disabled_action:testaction:1 + + + + Disable Secure RPC Server Service (rpcsvcgssd) + + ocil:ssg-service_rpcsvcgssd_disabled_action:testaction:1 + + + + Specify UID and GID for Anonymous NFS Connections + + ocil:ssg-nfs_no_anonymous_action:testaction:1 + + + + Ensure Insecure File Locking is Not Allowed + + ocil:ssg-no_insecure_locks_exports_action:testaction:1 + + + + Ensure All-Squashing Disabled On All Exports + + ocil:ssg-no_all_squash_exports_action:testaction:1 + + + + Remove the X Windows Package Group + + ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 + + + + Disable X Windows Startup By Setting Default Target + + ocil:ssg-xwindows_runlevel_target_action:testaction:1 + + + + Disable Kerberos by removing host keytab + + ocil:ssg-kerberos_disable_no_keytab_action:testaction:1 + + + + Uninstall vsftpd Package + + ocil:ssg-package_vsftpd_removed_action:testaction:1 + + + + Create Warning Banners for All FTP Users + + ocil:ssg-ftp_present_banner_action:testaction:1 + + + + Enable Logging of All FTP Transactions + + ocil:ssg-ftp_log_transactions_action:testaction:1 + + + + The Chrony package is installed + + ocil:ssg-package_chrony_installed_action:testaction:1 + + + + The Chronyd service is enabled + + ocil:ssg-service_chronyd_enabled_action:testaction:1 + + + + Enable the NTP Daemon + + ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1 + + + + Enable the NTP Daemon + + ocil:ssg-service_ntp_enabled_action:testaction:1 + + + + Enable the NTP Daemon + + ocil:ssg-service_ntpd_enabled_action:testaction:1 + + + + Configure Time Service Maxpoll Interval + + ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 + + + + Ensure that chronyd is running under chrony user account + + ocil:ssg-chronyd_run_as_chrony_user_action:testaction:1 + + + + Specify a Remote NTP Server + + ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1 + + + + Configure server restrictions for ntpd + + ocil:ssg-ntpd_configure_restrictions_action:testaction:1 + + + + Configure ntpd To Run As ntp User + + ocil:ssg-ntpd_run_as_ntp_user_action:testaction:1 + + + + Disable network management of chrony daemon + + ocil:ssg-chronyd_no_chronyc_network_action:testaction:1 + + + + Specify a Remote NTP Server + + ocil:ssg-ntpd_specify_remote_server_action:testaction:1 + + + + Disable chrony daemon from acting as server + + ocil:ssg-chronyd_client_only_action:testaction:1 + + + + A remote time server for Chrony is configured + + ocil:ssg-chronyd_specify_remote_server_action:testaction:1 + + + + Ensure LDAP client is not installed + + ocil:ssg-package_openldap-clients_removed_action:testaction:1 + + + + Ensure rsyncd service is diabled + + ocil:ssg-service_rsyncd_disabled_action:testaction:1 + + + + Remove Rsh Trust Files + + ocil:ssg-no_rsh_trust_files_action:testaction:1 + + + + Uninstall bind Package + + ocil:ssg-package_bind_removed_action:testaction:1 + + + + Enable the Hardware RNG Entropy Gatherer Service + + ocil:ssg-service_rngd_enabled_action:testaction:1 + + + + Install sssd-ipa Package + + ocil:ssg-package_sssd-ipa_installed_action:testaction:1 + + + + Configure SSSD's Memory Cache to Expire + + ocil:ssg-sssd_memcache_timeout_action:testaction:1 + + + + Configure SSSD to Expire SSH Known Hosts + + ocil:ssg-sssd_ssh_known_hosts_timeout_action:testaction:1 + + + + Configure SSSD to run as user sssd + + ocil:ssg-sssd_run_as_sssd_user_action:testaction:1 + + + + Enable Smartcards in SSSD + + ocil:ssg-sssd_enable_smartcards_action:testaction:1 + + + + Configure SSSD to Expire Offline Credentials + + ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 + + + + Install usbguard Package + + ocil:ssg-package_usbguard_installed_action:testaction:1 + + + + Enable the USBGuard Service + + ocil:ssg-service_usbguard_enabled_action:testaction:1 + + + + Log USBGuard daemon audit events using Linux Audit + + ocil:ssg-configure_usbguard_auditbackend_action:testaction:1 + + + + Authorize Human Interface Devices and USB hubs in USBGuard daemon + + ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1 + + + + Authorize Human Interface Devices in USBGuard daemon + + ocil:ssg-usbguard_allow_hid_action:testaction:1 + + + + Authorize USB hubs in USBGuard daemon + + ocil:ssg-usbguard_allow_hub_action:testaction:1 + + + + Install the OpenSSH Server Package + + ocil:ssg-package_openssh-server_installed_action:testaction:1 + + + + Remove the OpenSSH Server Package + + ocil:ssg-package_openssh-server_removed_action:testaction:1 + + + + Verify Permissions on SSH Server Public *.pub Key Files + + ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 + + + + Verify Permissions on SSH Server Private *_key Key Files + + ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 + + + + Force frequent session key renegotiation + + ocil:ssg-sshd_rekey_limit_action:testaction:1 + + + + Disable GSSAPI Authentication + + ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 + + + + Enable SSH Print Last Log + + ocil:ssg-sshd_print_last_log_action:testaction:1 + + + + Set SSH Idle Timeout Interval + + ocil:ssg-sshd_set_idle_timeout_action:testaction:1 + + + + Set SSH Daemon LogLevel to VERBOSE + + ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1 + + + + Enable GSSAPI Authentication + + ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1 + + + + Set SSH authentication attempt limit + + ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 + + + + Set LogLevel to INFO + + ocil:ssg-sshd_set_loglevel_info_action:testaction:1 + + + + Disable X11 Forwarding + + ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1 + + + + Disable SSH root Login with a Password (Insecure) + + ocil:ssg-sshd_disable_root_password_login_action:testaction:1 + + + + Disable SSH Root Login + + ocil:ssg-sshd_disable_root_login_action:testaction:1 + + + + Limit Users' SSH Access + + ocil:ssg-sshd_limit_user_access_action:testaction:1 + + + + Disable SSH TCP Forwarding + + ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1 + + + + Disable Host-Based Authentication + + ocil:ssg-disable_host_auth_action:testaction:1 + + + + Allow Only SSH Protocol 2 + + ocil:ssg-sshd_allow_only_protocol2_action:testaction:1 + + + + Enable SSH Warning Banner + + ocil:ssg-sshd_enable_warning_banner_action:testaction:1 + + + + Disable Compression Or Set Compression to delayed + + ocil:ssg-sshd_disable_compression_action:testaction:1 + + + + Prevent remote hosts from connecting to the proxy display + + ocil:ssg-sshd_x11_use_localhost_action:testaction:1 + + + + Enable Use of Strict Mode Checking + + ocil:ssg-sshd_enable_strictmodes_action:testaction:1 + + + + Disable SSH Access via Empty Passwords + + ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 + + + + Disable Kerberos Authentication + + ocil:ssg-sshd_disable_kerb_auth_action:testaction:1 + + + + Enable Use of Privilege Separation + + ocil:ssg-sshd_use_priv_separation_action:testaction:1 + + + + Disable SSH Support for Rhosts RSA Authentication + + ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1 + + + + Do Not Allow SSH Environment Options + + ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 + + + + Disable SSH Support for .rhosts Files + + ocil:ssg-sshd_disable_rhosts_action:testaction:1 + + + + Set SSH Client Alive Count Max + + ocil:ssg-sshd_set_keepalive_action:testaction:1 + + + + Set SSH Client Alive Count Max to zero + + ocil:ssg-sshd_set_keepalive_0_action:testaction:1 + + + + Enable Encrypted X11 Forwarding + + ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1 + + + + Disable PubkeyAuthentication Authentication + + ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1 + + + + Disable SSH Support for User Known Hosts + + ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1 + + + + Set SSH MaxSessions limit + + ocil:ssg-sshd_set_max_sessions_action:testaction:1 + + + + Uninstall Automatic Bug Reporting Tool (abrt) + + ocil:ssg-package_abrt_removed_action:testaction:1 + + + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + PASS + + + FAIL + + + + + + To check if the installed Operating System is 64-bit, run the following command: +$ uname -m +The output should be one of the following: x86_64, aarch64, ppc64le or s390x. +If the output is i686 or i386 the operating system is 32-bit. +Check if the installed CPU supports 64-bit operating systems by running the following command: +$ lscpu | grep "CPU op-mode" +If the output contains 64bit, the CPU supports 64-bit operating systems. + Is it the case that the installed operating sytem is 32-bit but the CPU supports operation in 64-bit? + + + + The following command will list which files on the system +have file hashes different from what is expected by the RPM database. +$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' + Is it the case that there is output? + + + + The following command will list which files on the system have permissions different from what +is expected by the RPM database: +$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' + Is it the case that there is output? + + + + Run the following command to determine if the aide package is installed: $ rpm -q aide + Is it the case that the package is not installed? + + + + To find the location of the AIDE databse file, run the following command: +$ sudo ls -l DBDIR/database_file_name + Is it the case that there is no database file? + + + + To determine that periodic AIDE execution has been scheduled, run the following command: +$ grep aide /etc/crontab +The output should return something similar to the following: +05 4 * * * root /usr/sbin/aide --check + +NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. + Is it the case that there is no output? + + + + To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command: +sysctl crypto.fips_enabled +The output should contain the following: +crypto.fips_enabled = 1 + Is it the case that crypto.fips_enabled is not 1? + + + + To verify that FIPS is enabled properly, run the following command: +fips-mode-setup --check +The output should contain the following: +FIPS mode is enabled. + Is it the case that FIPS mode is not enabled? + + + + To verify /etc/system-fips exists, run the following command: +ls -l /etc/system-fips +The output should be similar to the the following: +-rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips + Is it the case that /etc/system-fips does not exist? + + + + To verify that the Dracut FIPS module is enabled, run the following command: +grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf +The output should look like this: +add_dracutmodules+=" fips " + Is it the case that the Dracut FIPS module is not enabled? + + + + To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file +/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the +.include /etc/crypto-policies/back-ends/opensslcnf.config directive: +grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf. + Is it the case that the OpenSSL config file doesn't contain the whole section, +or that the section doesn't have the <pre>.include /etc/crypto-policies/back-ends/opensslcnf.config</pre> directive? + + + + To verify if the OpenSSH server uses defined Crypto Policy, run: +$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1 +and verify that the line matches +CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256' + Is it the case that Crypto Policy for OpenSSH Server is not configured according to CC requirements? + + + + To verify that Libreswan uses the system crypto policy, run the following command: +$ grep include /etc/ipsec.conf +The output should return something similar to: +include /etc/crypto-policies/back-ends/libreswan.config + Is it the case that Libreswan is installed and <tt>/etc/ipsec.conf</tt> does not contain <tt>include /etc/crypto-policies/back-ends/libreswan.config</tt>? + + + + To verify if the OpenSSH Client uses defined Crypto Policy, run: +$ cat /etc/ssh/ssh_config.d/02-ospp.conf +and verify that the line matches +Match final all +RekeyLimit 512M 1h +GSSAPIAuthentication no +Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc +PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 +MACs hmac-sha2-512,hmac-sha2-256 +KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 + Is it the case that Crypto Policy for OpenSSH Client is not configured according to CC requirements? + + + + Check that the CRYPTO_POLICY variable is not set or is commented in the +/etc/sysconfig/sshd. + Is it the case that the CRYPTO_POLICY variable is not set or is commented in the /etc/sysconfig/sshd? + + + + To verify that cryptography policy has been configured correctly, run the +following command: +$ update-crypto-policies --show +The output should return . +Run the command to check if the policy is correctly applied: +$ update-crypto-policies --is-applied +The output should be The configured policy is applied. +Moreover, check if settings for selected crypto policy are as expected. +List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends. +$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort +Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory. +$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort +Outputs of two previous commands should match. + Is it the case that cryptographic policy is not configured or is configured incorrectly? + + + + To verify that BIND uses the system crypto policy, check out that the BIND config file +/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config"; +directive: grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf, +and verify that the directive is at the bottom of the options section of the config file. + Is it the case that BIND is installed and the BIND config file doesn't contain the +<pre>include "/etc/crypto-policies/back-ends/bind.config";</pre> directive? + + + + Check that the symlink exists and target the correct kerberos crypto policy, with the following command: +file /etc/krb5.conf.d/crypto-policies +If command ouput shows the following line, kerberos is configured to use the system-wide crypto policy. +/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config + Is it the case that the symlink does not exist or points to a different target? + + + + Inspect the system to determine if intrusion detection software has been installed. +Verify this intrusion detection software is active. + Is it the case that no host-based intrusion detection tools are installed? + + + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be +bundled with an approved host-based security solution. + Is it the case that there is no anti-virus solution installed on the system? + + + + Verify that the system backups user data. + Is it the case that it is not? + + + + To verify that McAfee HIPS is installed, run the following command(s): +$ rpm -q MFEhiplsm + Is it the case that the HBSS HIPS module is not installed? + + + + To verify that the installed operating system is supported, run +the following command: + +The output should contain something similar to: +Fedora + Is it the case that the installed operating system is not supported? + + + + To verify that the installed operating system is supported or certified, run +the following command: + +The output should contain something similar to: +Fedora + Is it the case that the installed operating system is not FIPS 140-2 certified? + + + + Run the following command to determine if the binutils package is installed: $ rpm -q binutils + Is it the case that the package is not installed? + + + + Run the following command to determine if the cryptsetup-luks package is installed: $ rpm -q cryptsetup-luks + Is it the case that the package is not installed? + + + + Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils + Is it the case that the package is not installed? + + + + Run the following command to determine if the libcap-ng-utils package is installed: $ rpm -q libcap-ng-utils + Is it the case that the package is not installed? + + + + Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools + Is it the case that the package is not installed? + + + + Run the following command to determine if the openscap-scanner package is installed: $ rpm -q openscap-scanner + Is it the case that the package is not installed? + + + + Run the following command to determine if the rear package is installed: $ rpm -q rear + Is it the case that the package is not installed? + + + + Run the following command to determine if the rng-tools package is installed: $ rpm -q rng-tools + Is it the case that the package is not installed? + + + + Run the following command to determine if the scap-security-guide package is installed: $ rpm -q scap-security-guide + Is it the case that the package is not installed? + + + + Run the following command to determine if the tar package is installed: $ rpm -q tar + Is it the case that the package is not installed? + + + + Run the following command to determine if the vim package is installed: $ rpm -q vim + Is it the case that the package is not installed? + + + + Run the following command to determine if the abrt-addon-ccpp package is installed: +$ rpm -q abrt-addon-ccpp + Is it the case that the package is installed? + + + + Run the following command to determine if the abrt-addon-kerneloops package is installed: +$ rpm -q abrt-addon-kerneloops + Is it the case that the package is installed? + + + + Run the following command to determine if the abrt-addon-python package is installed: +$ rpm -q abrt-addon-python + Is it the case that the package is installed? + + + + Run the following command to determine if the abrt-cli package is installed: +$ rpm -q abrt-cli + Is it the case that the package is installed? + + + + Run the following command to determine if the abrt-plugin-logger package is installed: +$ rpm -q abrt-plugin-logger + Is it the case that the package is installed? + + + + Run the following command to determine if the abrt-plugin-rhtsupport package is installed: +$ rpm -q abrt-plugin-rhtsupport + Is it the case that the package is installed? + + + + Run the following command to determine if the abrt-plugin-sosreport package is installed: +$ rpm -q abrt-plugin-sosreport + Is it the case that the package is installed? + + + + Run the following command to determine if the geolite2-city package is installed: +$ rpm -q geolite2-city + Is it the case that the package is installed? + + + + Run the following command to determine if the geolite2-country package is installed: +$ rpm -q geolite2-country + Is it the case that the package is installed? + + + + Run the following command to determine if the gssproxy package is installed: +$ rpm -q gssproxy + Is it the case that the package is installed? + + + + Run the following command to determine if the iprutils package is installed: +$ rpm -q iprutils + Is it the case that the package is installed? + + + + Run the following command to determine if the krb5-workstation package is installed: +$ rpm -q krb5-workstation + Is it the case that the package is installed? + + + + Run the following command to determine if the tuned package is installed: +$ rpm -q tuned + Is it the case that the package is installed? + + + + Run the following command to determine if the sudo package is installed: $ rpm -q sudo + Is it the case that the package is not installed? + + + + To determine if arguments that commands can be executed with are restricted, run the following command: +$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that /etc/sudoers file contains user specifications that allow execution of commands with any arguments? + + + + To determine if !authenticate has not been configured for sudo, run the following command: +$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that !authenticate is enabled in sudo? + + + + To determine if NOEXEC has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that noexec is not enabled in sudo? + + + + Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation: + sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' +If no results are returned, this is a finding +If "Defaults !targetpw" is not defined, this is a finding. +If "Defaults !rootpw" is not defined, this is a finding. +If "Defaults !runaspw" is not defined, this is a finding. + Is it the case that invoke user passwd when using sudo? + + + + To determine if the users are allowed to run commands as root, run the following commands: +$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/ +and +$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)' /etc/sudoers /etc/sudoers.d/ +Both commands should return no output. + Is it the case that /etc/sudoers file contains rules that allow non-root users to run commands as root? + + + + To determine if NOPASSWD has been configured for the vdsm user for sudo, +run the following command: +$ sudo grep -ri nopasswd /etc/sudoers.d/ +The command should return output only for the vdsm user. + Is it the case that nopasswd is set for any users beyond vdsm? + + + + To determine if use_pty has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that use_pty is not enabled in sudo? + + + + To determine if NOPASSWD or !authenticate have been configured for +sudo, run the following command: +$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that nopasswd and/or !authenticate is enabled in sudo? + + + + To determine if requiretty has been configured for sudo, run the following command: +$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/ +The command should return a matching output. + Is it the case that requiretty is not enabled in sudo? + + + + To determine if NOPASSWD has been configured for sudo, run the following command: +$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that nopasswd is enabled in sudo? + + + + To determine if negation is used to define commands users are allowed to execute using sudo, run the following command: +$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*' /etc/sudoers /etc/sudoers.d/ +The command should return no output. + Is it the case that /etc/sudoers file contains rules that define the set of allowed commands using negation? + + + + To ensure the gdm package group is removed, run the following command: +$ rpm -qi gdm +The output should be: +package gdm is not installed + Is it the case that gdm has not been removed? + + + + In order to be sure that the databases are up-to-date, run the +dconf update +command as the administrator. + Is it the case that The system-wide dconf databases are up-to-date with regards to respective keyfiles? + + + + To verify that the DConf User profile is configured correctly, run the following +command: + +$ cat /etc/dconf/profile/user +The output should show the following: +user-db:user +system-db:local +system-db:site +system-db:distro + Is it the case that DConf User profile does not exist or is not configured correctly? + + + + To ensure that wireless network notification is disabled, run the following command: +$ gsettings get org.gnome.nm-applet suppress-wireless-networks-available +If properly configured, the output should be true. +To ensure that users cannot enable wireless notification, run the following: +$ grep wireless-networks-available /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/nm-applet/suppress-wireless-networks-available + Is it the case that wireless network notification is enabled and not disabled? + + + + To ensure that WIFI connections caanot be created, run the following command: +$ gsettings get org.gnome.nm-applet disable-wifi-create +If properly configured, the output should be true. +To ensure that users cannot enable WIFI connection creation, run the following: +$ grep wifi-create /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/nm-applet/disable-wifi-create + Is it the case that WIFI connections can be created through GNOME? + + + + To ensure that remote access requires credentials, run the following command: +$ gsettings get org.gnome.Vino authentication-methods +If properly configured, the output should be false. +To ensure that users cannot disable credentials for remote access, run the following: +$ grep authentication-methods /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/Vino/authentication-methods + Is it the case that wireless network notification is enabled and not disabled? + + + + To ensure that remote access connections are encrypted, run the following command: +$ gsettings get org.gnome.Vino require-encrpytion +If properly configured, the output should be true. +To ensure that users cannot disable encrypted remote connections, run the following: +$ grep require-encryption /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/Vino/require-encryption + Is it the case that remote access connections are not encrypted? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling automount-open +If properly configured, the output for automount-openshould be false. +To ensure that users cannot enable automount opening in GNOME3, run the following: +$ grep 'automount-open' /etc/dconf/db/local.d/locks/* +If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open + Is it the case that GNOME automounting is not disabled? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling automount +If properly configured, the output for automount should be false. +To ensure that users cannot enable automount in GNOME3, run the following: +$ grep 'automount' /etc/dconf/db/local.d/locks/* +If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount + Is it the case that GNOME automounting is not disabled? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.thumbnailers disable-all +If properly configured, the output should be true. +To ensure that users cannot how long until the the screensaver locks, run the following: +$ grep disable-all /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all + Is it the case that GNOME thumbnailers are not disabled? + + + + These settings can be verified by running the following: +$ gsettings get org.gnome.desktop.media-handling autorun-never +If properly configured, the output for autorun-nevershould be true. +To ensure that users cannot enable autorun in GNOME3, run the following: +$ grep 'autorun-never' /etc/dconf/db/local.d/locks/* +If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never + Is it the case that GNOME autorun is not disabled? + + + + To ensure that the GUI power settings are not active, run the following command: +$ gsettings get org.gnome.settings-daemon.plugins.power active +If properly configured, the output should be false. +To ensure that users cannot enable the power settings, run the following: +$ grep power /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/settings-daemon/plugins/power/active + Is it the case that power settings are enabled and are not disabled? + + + + To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, +run the following command: +$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout +If properly configured, the output should be ''. +To ensure that users cannot enable the Ctrl-Alt-Del sequence, run the following: +$ grep logout /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/settings-daemon/plugins/media-keys/logout + Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? + + + + To ensure the GUI does not allow user administratrion capabilities to all users, +run the following command: +$ gsettings get org.gnome.desktop.lockdown user-administration-disabled +If properly configured, the output should be true. +To ensure that users cannot enable user administration, run the following: +$ grep user-administration /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/desktop/lockdown/user-administration-disabled + Is it the case that user administration is not configured or disabled? + + + + To ensure that system location tracking is not active, run the following command: +$ gsettings get org.gnome.system.location enabled +$ gsettings get org.gnome.clocks geolocation +If properly configured, the output should be false. +To ensure that users cannot enable system location tracking, run the following: +$ grep location /etc/dconf/db/local.d/locks/* +If properly configured, the output should be +/org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. + Is it the case that geolocation is enabled and not disabled? + + + + To ensure that users cannot change session idle and lock settings, run the following: +$ grep 'idle-delay' /etc/dconf/db/local.d/locks/* +If properly configured, the output should return: +/org/gnome/desktop/session/idle-delay + Is it the case that GNOME3 session settings are not locked or configured properly? + + + + To ensure the splash screen is configured not to show user name, run the following command: +$ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar +If properly configured, the output should be false. +To ensure that users cannot enable user name on the lock screen, run the following: +$ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar + Is it the case that it is not set or configured properly? + + + + To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled + Is it the case that idle_activation_enabled is not locked? + + + + To ensure that users cannot change how long until the the screensaver locks, run the following: +$ grep lock-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled + Is it the case that screensaver locking is not locked? + + + + To check the current idle time-out value, run the following command: +$ gsettings get org.gnome.desktop.session idle-delay +If properly configured, the output should be 'uint32 '. +To ensure that users cannot change the screensaver inactivity timeout setting, run the following: +$ grep idle-delay /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/session/idle-delay + Is it the case that idle-delay is not equal to or less than the expected value? + + + + To check the screensaver mandatory use status, run the following command: +$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled +If properly configured, the output should be true. +To ensure that users cannot disable the screensaver idle inactivity setting, run the following: +$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled + Is it the case that idle_activation_enabled is not enabled or configured? + + + + To check the status of the idle screen lock activation, run the following command: + +$ gsettings get org.gnome.desktop.screensaver lock-enabled +If properly configured, the output should be true. +To ensure that users cannot change how long until the the screensaver locks, run the following: +$ grep lock-enabled /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled + Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? + + + + To ensure the screensaver is configured to be blank, run the following command: +$ gsettings get org.gnome.desktop.screensaver picture-uri +If properly configured, the output should be ''. + +To ensure that users cannot set the screensaver background, run the following: +$ grep picture-uri /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri + Is it the case that it is not set or configured properly? + + + + To check that the screen locks immediately when activated, run the following command: +$ gsettings get org.gnome.desktop.screensaver lock-delay +If properly configured, the output should be 'uint32 '. + +To ensure that users cannot change how long until the the screensaver locks, run the following: +$ grep lock-delay /etc/dconf/db/local.d/locks/* +If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay + Is it the case that the screensaver lock delay is missing, or is set to a value greater than 5? + + + + To ensure that users cannot change session idle and lock settings, run the following: +$ grep 'lock-delay' /etc/dconf/db/local.d/locks/* +If properly configured, the output should return: +/org/gnome/desktop/screensaver/lock-delay + Is it the case that GNOME3 session settings are not locked or configured properly? + + + + To verify that automatic logins are disabled, run the following command: +$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf +The output should show the following: +[daemon] +AutomaticLoginEnable=false + Is it the case that GDM allows users to automatically login? + + + + To ensure the login screen resets after a specified number of failures, +run the following command: +$ grep allowed-failures /etc/dconf/db/gdm.d/* +The output should be 3 or less. +To ensure that users cannot change or configure the resets after a specified +number of failures on the login screen, run the following: +$ grep allowed-failures /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/allowed-failures + Is it the case that allowed-failures is not equal to or less than the expected value? + + + + To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command: +grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf +The output should return the following: + +[xdmcp] +Enable=false + + Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm/custom.conf gdm configuration file? + + + + To ensure the user list is disabled, run the following command: +$ grep disable-user-list /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot enable displaying the user list, run the following: +$ grep disable-user-list /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/disable-user-list + Is it the case that disable-user-list has not been configured or is not disabled? + + + + To verify that timed logins are disabled, run the following command: +$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf +The output should show the following: +[daemon] +TimedLoginEnable=false + Is it the case that GDM allows a guest to login without credentials? + + + + To ensure smart card authentication on the login screen is enabled, run the following command: +$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot disable smart card authentication on the login screen, run the following: +$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication + Is it the case that enable-smartcard-authentication has not been configured or is disabled? + + + + To ensure screen locking on smartcard removal is enabled, run the following command: +$ grep removal-action /etc/dconf/db/local.d/* +The output should be lock-screen. +To ensure that users cannot disable screen locking on smartcard removal, run the following: +$ grep removal-action /etc/dconf/db/local.d/locks/* +If properly configured, the output should be /org/gnome/settings-daemon/peripherals/smartcard/removal-action + Is it the case that removal-action has not been configured? + + + + To ensure disable and restart on the login screen are disabled, run the following command: +$ grep disable-restart-buttons /etc/dconf/db/gdm.d/* +The output should be true. +To ensure that users cannot enable disable and restart on the login screen, run the following: +$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons + Is it the case that disable-restart-buttons has not been configured or is not disabled? + + + + Run the following command to determine if /usr +is on its own partition or logical volume: +$ mount | grep "on /usr" +If /usr has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /tmp +is on its own partition or logical volume: +$ mount | grep "on /tmp" +If /tmp has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /home +is on its own partition or logical volume: +$ mount | grep "on /home" +If /home has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /var +is on its own partition or logical volume: +$ mount | grep "on /var" +If /var has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /var/log +is on its own partition or logical volume: +$ mount | grep "on /var/log" +If /var/log has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /boot +is on its own partition or logical volume: +$ mount | grep "on /boot" +If /boot has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /var/log/audit +is on its own partition or logical volume: +$ mount | grep "on /var/log/audit" +If /var/log/audit has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /opt +is on its own partition or logical volume: +$ mount | grep "on /opt" +If /opt has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if /srv +is on its own partition or logical volume: +$ mount | grep "on /srv" +If /srv has its own partition or volume group, a line will be returned. + + Is it the case that no line is returned? + + + + Run the following command to determine if the dnf-automatic package is installed: $ rpm -q dnf-automatic + Is it the case that the package is not installed? + + + + To ensure that the GPG key is installed, run: +$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey +The command should return one of the strings below: +gpg(Fedora 31 (31) <fedora-31@fedoraproject.org>) +gpg(Fedora 30 (30) <fedora-30@fedoraproject.org>) + Is it the case that the Fedora GPG Key is not installed? + + + + To determine whether dnf has been configured to disable +gpgcheck for any repos, inspect all files in +/etc/yum.repos.d and ensure the following does not appear in any +sections: +gpgcheck=0 +A value of 0 indicates that gpgcheck has been disabled for that repo. + Is it the case that GPG checking is disabled? + + + + To verify that only security updates will be automatically installed by dnf-automatic, run the following command: +$ sudo grep upgrade_type /etc/dnf/automatic.conf +The output should return the following: +upgrade_type = security + Is it the case that the upgrade_type is not set to security? + + + + To verify that packages comprising the available updates will be automatically installed by dnf-automatic, run the following command: +$ sudo grep apply_updates /etc/dnf/automatic.conf +The output should return the following: +apply_updates = yes + Is it the case that apply_updates is not set to yes? + + + + Run the following command to determine the current status of the dnf-automatic timer: $ systemctl is-active dnf-automatic.timer If the timer is running, it should return the following: active + Is it the case that the dnf-automatic.timer is not enabled? + + + + To determine whether dnf is configured to use gpgcheck, +inspect /etc/dnf/dnf.conf and ensure the following appears in the +[main] section: +gpgcheck=1 +A value of 1 indicates that gpgcheck is enabled. Absence of a +gpgcheck line or a setting of 0 indicates that it is +disabled. + Is it the case that GPG checking is not enabled? + + + + To verify that localpkg_gpgcheck is configured properly, run the following +command: +$ grep localpkg_gpgcheck /etc/dnf/dnf.conf +The output should return something similar to: +localpkg_gpgcheck=1 + Is it the case that gpgcheck is not enabled or configured correctly to verify local packages? + + + + To check the ownership of /etc/issue, +run the command: +$ ls -lL /etc/issue +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/issue has owner root? + + + + To check the permissions of /etc/motd, +run the command: +$ ls -l /etc/motd +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/motd has unix mode -rw-r--r--? + + + + To check the permissions of /etc/issue, +run the command: +$ ls -l /etc/issue +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/issue has unix mode -rw-r--r--? + + + + To check the group ownership of /etc/issue, +run the command: +$ ls -lL /etc/issue +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/issue has group owner root? + + + + To check the ownership of /etc/motd, +run the command: +$ ls -lL /etc/motd +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/motd has owner root? + + + + To check the group ownership of /etc/motd, +run the command: +$ ls -lL /etc/motd +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/motd has group owner root? + + + + To check if the system login banner is compliant, +run the following command: +$ cat /etc/issue + Is it the case that it does not display the required banner? + + + + To check if the system login banner is compliant, +run the following command: +$ cat /etc/motd + Is it the case that it does not display the required banner? + + + + To ensure the login warning banner text is properly set, run the following: +$ grep banner-message-text /etc/dconf/db/gdm.d/* +If properly configured, the proper banner text will appear. +To ensure the login warning banner text is locked and cannot be changed by a user, run the following: +$ grep banner-message-text /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/banner-message-text. + Is it the case that it does not? + + + + To ensure a login warning banner is enabled, run the following: +$ grep banner-message-enable /etc/dconf/db/gdm.d/* +If properly configured, the output should be true. +To ensure a login warning banner is locked and cannot be changed by a user, run the following: +$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* +If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. + Is it the case that it is not? + + + + To check if pam_namespace.so is required for user login, run the following command: +$ grep pam_namespace.so /etc/pam.d/login +The output should return the following uncommented: +session required pam_namespace.so + Is it the case that pam_namespace.so is not required or is commented out? + + + + To ensure that last logon/access notification is configured correctly, run +the following command: + +$ grep pam_lastlog.so /etc/pam.d/postlogin +The output should show output showfailed. + Is it the case that that is not the case? + + + + To ensure that even the root account is locked after a defined number of failed password +attempts, run the following command: +$ grep even_deny_root /etc/pam.d/system-auth +The output should show even_deny_root. + Is it the case that that is not the case? + + + + To check if root user is required to use complex passwords, run the following command: +$ grep local_users_only /etc/security/faillock.conf +The output should return local_users_only uncommented. + Is it the case that local_users_only is not uncommented or configured correctly? + + + + To ensure the failed password attempt policy is configured correctly, +run the following command: +$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth +For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is or greater. +If the fail_interval parameter is not set, the default setting +of 900 seconds is acceptable. + Is it the case that fail_interval is less than the required value? + + + + To verify the password reuse setting is compliant, run the following command: +$ grep remember /etc/pam.d/system-auth +The output should show the following at the end of the line: +remember= + Is it the case that the value of remember is not set equal to or greater than the expected setting? + + + + To ensure the failed password attempt policy is configured correctly, run the following command: +$ grep pam_faillock /etc/pam.d/system-auth +The output should show unlock_time=<some-large-number> or 0 for never. + Is it the case that unlock_time is less than the expected value? + + + + To ensure the failed password attempt policy is configured correctly, run the following command: +$ grep pam_faillock /etc/pam.d/system-auth +The output should show deny=. + Is it the case that that is not the case? + + + + To check how many characters must differ during a password change, run the following command: +$ grep difok /etc/security/pwquality.conf +The difok parameter will indicate how many characters must differ. + Is it the case that difok is not found or not equal to or greater than the required value? + + + + To check how many retry attempts are permitted on a per-session basis, run the following command: +$ grep pam_pwquality /etc/pam.d/system-auth +The retry parameter will indicate how many attempts are permitted. +The DoD required value is less than or equal to 3. +This would appear as retry=3, or a lower value. + Is it the case that it is not the required value? + + + + To check how many characters are required in a password, run the following command: +$ grep minlen /etc/security/pwquality.conf +Your output should contain minlen = + Is it the case that minlen is not found, or not equal to or greater than the required value? + + + + To check the maximum value for consecutive repeating characters, run the following command: +$ grep maxrepeat /etc/security/pwquality.conf +Look for the value of the maxrepeat parameter. The DoD requirement is 3, which would appear as +maxrepeat=3. + Is it the case that maxrepeat is not found or not greater than or equal to the required value? + + + + To check how many uppercase characters are required in a password, run the following command: +$ grep ucredit /etc/security/pwquality.conf +The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. +The DoD and FISMA require at least one uppercase character in a password. +This would appear as ucredit = -1. + Is it the case that ucredit is not found or not set less than or equal to the required value? + + + + To check how many categories of characters must be used in password during a password change, +run the following command: +$ grep minclass /etc/security/pwquality.conf +The minclass parameter will indicate how many character classes must be used. If +the requirement was for the password to contain characters from three different categories, +then this would appear as minclass = 3. + Is it the case that minclass is not found or not set equal to or greater than the required value? + + + + To check how many digits are required in a password, run the following command: +$ grep dcredit /etc/security/pwquality.conf +The dcredit parameter (as a negative number) will indicate how many digits are required. +The DoD requires at least one digit in a password. This would appear as dcredit = -1. + Is it the case that dcredit is not found or not equal to or less than the required value? + + + + To check the value for maximum consecutive repeating characters, run the following command: +$ grep maxclassrepeat /etc/security/pwquality.conf +For DoD systems, the output should show maxclassrepeat=4. + Is it the case that that is not the case? + + + + To check how many special characters are required in a password, run the following command: +$ grep ocredit /etc/security/pwquality.conf +The ocredit parameter (as a negative number) will indicate how many special characters are required. +The DoD and FISMA require at least one special character in a password. +This would appear as ocredit = -1. + Is it the case that ocredit is not found or not equal to or less than the required value? + + + + To verify if root user is required to use complex passwords, run the following command: +$ grep enforce_for_root /etc/security/pwquality.conf +The output should return enforce_for_root uncommented. + Is it the case that enforce_for_root is not uncommented or configured correctly? + + + + To verify if password complexities are only enforce on local users, run the following command: +$ grep local_users_only /etc/security/pwquality.conf +The output should return local_users_only uncommented. + Is it the case that local_users_only is not uncommented or configured correctly? + + + + To check how many lowercase characters are required in a password, run the following command: +$ grep lcredit /etc/security/pwquality.conf +The lcredit parameter (as a negative number) will indicate how many special characters are required. +The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. + Is it the case that lcredit is not found or not less than or equal to the required value? + + + + Inspect /etc/login.defs and ensure the following line appears: +ENCRYPT_METHOD SHA512 + Is it the case that it does not? + + + + +Inspect the password section of /etc/pam.d/system-auth + +and ensure that the pam_unix.so module includes the argument +sha512: + +$ grep sha512 /etc/pam.d/system-auth + Is it the case that it does not? + + + + Inspect /etc/libuser.conf and ensure the following line appears +in the [default] section: +crypt_style = sha512 + Is it the case that it does not? + + + + +To check that the debug-shell service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled debug-shell +Output should indicate the debug-shell service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled debug-shell disabled + +Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active debug-shell + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the debug-shell is masked, run the following command: +$ systemctl show debug-shell | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that ? + + + + To check if authentication is required for emergency mode, run the following command: +$ grep sulogin /usr/lib/systemd/system/emergency.service +The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + Is it the case that the output is different? + + + + To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check +that the ctrl-alt-del.target is masked and not active with the following +command: +sudo systemctl status ctrl-alt-del.target +The output should indicate that the target is masked and not active. It +might resemble following output: +ctrl-alt-del.target +Loaded: masked (/dev/null; bad) +Active: inactive (dead) + Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? + + + + To check if authentication is required for single-user mode, run the following command: +$ grep sulogin /usr/lib/systemd/system/rescue.service +The output should be similar to the following, and the line must begin with +ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + Is it the case that the output is different? + + + + Inspect /etc/default/grub for any instances of +systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. +Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates +that interactive boot is enabled at boot time. + Is it the case that Interactive boot is enabled at boot time? + + + + Run the following command to determine if the opensc package is installed: $ rpm -q opensc + Is it the case that the package is not installed? + + + + Run the following command to determine if the pcsc-lite package is installed: $ rpm -q pcsc-lite + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +pcscd service: +$ systemctl is-active pcscd +If the service is running, it should return the following: active + Is it the case that the pcscd service is not enabled? + + + + +'Run the following command to determine if the openssl-pkcs11 package is installed: +$ rpm -q openssl-pkcs11' + Is it the case that smartcard software is not installed? + + + + Interview the SA to determine if all accounts not exempted by policy are +using CAC authentication. For DoD systems, the following systems and +accounts are exempt from using smart card (CAC) authentication: +SIPRNET systemsStandalone systemsApplication accountsTemporary employee accounts, such as students or interns, who cannot +easily receive a CAC or PIVOperational tactical locations that are not collocated with RAPIDS +workstations to issue CAC or ALTTest systems, such as those with an Interim Approval to Test (IATT) and +use a separate VPN, firewall, or security measure preventing access to +network and system components from outside the protection boundary +documented in the IATT. + Is it the case that non-exempt accounts are not using CAC authentication? + + + + To verify that is configured +as the smart card driver, run the following command changing ARCH for +the architecture of your operating system: +$ grep force_card_driver /etc/opensc-ARCH +The output should return something similar to: +force_card_drivers = ; + Is it the case that the smart card driver is not configured correctly? + + + + To verify that opensc is configured in the NSS database, +run the following command: +$ pkcs11-switch +The output should return opensc + Is it the case that opensc is not in use by the nss database? + + + + To verify that is configured +as the smart card driver, run the following command changing ARCH for +the architecture of your operating system: +$ grep card_drivers /etc/opensc-ARCH +The output should return something similar to: +card_drivers = ; + Is it the case that the smart card driver is not configured correctly? + + + + Run the following command to determine if the screen package is installed: $ rpm -q screen + Is it the case that the package is not installed? + + + + Run the following command to determine if the tmux package is installed: $ rpm -q tmux + Is it the case that the package is not installed? + + + + To verify that tmux is not listed as allowed shell on the system +run the following command: +$ grep 'tmux$' /etc/shells +The output should be empty. + Is it the case that tmux is listed in /etc/shells? + + + + To verify that vlock is configured as a locking mechanism in tmux, run the following command: +$ grep lock-command /etc/tmux.conf +The output should return the following: +set -g lock-command vlock + Is it the case that lock-command is not set? + + + + To verify that session locking after period of inactivity is configured in tmux, +run the following command: +$ grep lock-after-time /etc/tmux.conf +The output should return the following: +set -g lock-after-time 900 + Is it the case that lock-after-time is not set or set to zero? + + + + To verify that tmux is configured to execute, +run the following command: +$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc +The output should return the following: +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi + Is it the case that exec tmux is not present at the end of bashrc? + + + + To check the password warning age, run the command: +$ grep PASS_WARN_AGE /etc/login.defs +The DoD requirement is 7. + Is it the case that it is not set to the required value? + + + + To check the minimum password age, run the command: +$ grep PASS_MIN_DAYS /etc/login.defs + Is it the case that it is not equal to or greater than the required value? + + + + To check the maximum password age, run the command: +$ grep PASS_MAX_DAYS /etc/login.defs +The DoD and FISMA requirement is 60. +A value of 180 days is sufficient for many environments. + Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value? + + + + To check the minimum password length, run the command: +$ grep PASS_MIN_LEN /etc/login.defs +The DoD requirement is 15. + Is it the case that it is not set to the required value? + + + + Run the following command to check if the line is present: +grep pam_wheel /etc/pam.d/su +The output should contain the following line: +auth required pam_wheel.so use_uid + Is it the case that the line is not in the file or it is commented? + + + + To check for virtual console entries which permit root login, run the +following command: +$ sudo grep ^vc/[0-9] /etc/securetty +If any output is returned, then root logins over virtual console devices is permitted. + Is it the case that root login over virtual console devices is permitted? + + + + To check for serial port entries which permit root login, +run the following command: +$ sudo grep ^ttyS/[0-9] /etc/securetty +If any output is returned, then root login over serial ports is permitted. + Is it the case that root login over serial ports is permitted? + + + + To obtain a listing of all users, their UIDs, and their shells, run the +command: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd Identify +the system accounts from this listing. These will primarily be the accounts +with UID numbers less than UID_MIN, other than root. Value of the UID_MIN +directive is set in /etc/login.defs configuration file. In the default +configuration UID_MIN is set to 1000. + Is it the case that any system account (other than root) has a login shell? + + + + To ensure root may not directly login to the system over physical consoles, +run the following command: +cat /etc/securetty +If any output is returned, this is a finding. + Is it the case that the /etc/securetty file is not empty? + + + + To list all password file entries for accounts with UID 0, run the +following command: +$ awk -F: '($3 == \"0\") {print}' /etc/passwd +This should print only one line, for the user root. + +If there is a finding, change the UID of the failing (non-root) user. If +the account is associated with the system commands or applications the UID +should be changed to one greater than 0 but less than +1000. Otherwise assign a UID of greater than 1000 that +has not already been assigned. + Is it the case that any account other than root has a UID of 0? + + + + Check the root home directory for a .mozilla directory. If +one exists, ensure browsing is limited to local service administration. + Is it the case that this is not the case? + + + + To obtain a listing of all users and the contents of their shadow password +field, run the command: +$ sudo awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow +Identify the system accounts from this listing. These will primarily be the accounts +with UID numbers less than UID_MIN, other than root. Value of the UID_MIN +directive is set in /etc/login.defs configuration file. In the default +configuration, UID_MIN is set to 500. + Is it the case that it is not? + + + + To view the root user's PATH, run the following command: +$ sudo env | grep PATH +If correctly configured, the PATH must: use vendor default settings, +have no empty entries, and have no entries beginning with a character +other than a slash (/). + Is it the case that any of these conditions are not met? + + + + To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, +run the following command: +$ sudo pwck -qr +There should be no output. + Is it the case that GIFs referenced in /etc/passwd are returned as not defined in /etc/group? + + + + To check for legacy lines in /etc/shadow, run the following command: + grep '^\+' /etc/shadow +The command should not return any output. + Is it the case that the file contains legacy lines? + + + + To check the system for the existence of any .netrc files, +run the following command: +$ sudo find /home -xdev -name .netrc + Is it the case that any .netrc files exist? + + + + To check that no password hashes are stored in +/etc/passwd, run the following command: +awk '!/\S:x|\*/ {print}' /etc/passwd +If it produces any output, then a password hash is +stored in /etc/passwd. + Is it the case that any stored hashes are found in /etc/passwd? + + + + To verify that null passwords cannot be used, run the following command: + +$ grep nullok /etc/pam.d/system-auth + +If this produces any output, it may be possible to log into accounts +with empty passwords. Remove any instances of the nullok option to +prevent logins with empty passwords. + Is it the case that NULL passwords can be used? + + + + To verify the number of rounds for the password hashing algorithm is compliant, run the following command: +$ grep rounds /etc/pam.d/password-auth +The output should show the following match: +rounds= + Is it the case that it does not set the appropriate number of hashing rounds? + + + + To check for legacy lines in /etc/passwd, run the following command: + grep '^\+' /etc/passwd +The command should not return any output. + Is it the case that the file contains legacy lines? + + + + To verify the number of rounds for the password hashing algorithm is compliant, run the following command: +$ grep rounds /etc/pam.d/system-auth +The output should show the following match: +rounds= + Is it the case that it does not set the appropriate number of hashing rounds? + + + + To check for legacy lines in /etc/group, run the following command: + grep '^\+' /etc/group +The command should not return any output. + Is it the case that the file contains legacy lines? + + + + For every temporary and emergency account, run the following command +to obtain its account aging and expiration information: +$ sudo chage -l USER +Verify each of these accounts has an expiration date set as documented. + Is it the case that any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame? + + + + Verify that the system is integrated with a centralized authentication mechanism +such as as Active Directory, Kerberos, Directory Server, etc. that has +automated account mechanisms in place. + Is it the case that the system is not using a centralized authentication mechanism, or it is not automated? + + + + To verify the INACTIVE setting, run the following command: +$ grep "INACTIVE" /etc/default/useradd +The output should indicate the INACTIVE configuration option is set +to an appropriate integer as shown in the example below: +$ grep "INACTIVE" /etc/default/useradd +INACTIVE= + Is it the case that the value of INACTIVE is greater than the expected value? + + + + To verify all accounts have unique names, run the following command: +$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d +No output should be returned. + Is it the case that a line is returned? + + + + Run the following command to ensure that /tmp is configured as a +polyinstantiated directory: +$ sudo grep /tmp /etc/security/namespace.conf +The output should return the following: +/tmp /tmp/tmp-inst/ level root,adm + Is it the case that is not configured? + + + + Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by +running the following command: +$ sudo grep -i "FAIL_DELAY" /etc/login.defs +All output must show the value of FAIL_DELAY set as shown in the below: +$ sudo grep -i "FAIL_DELAY" /etc/login.defs +FAIL_DELAY + Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value? + + + + Run the following command to ensure the maxlogins value is +configured for all users on the system: +# grep "maxlogins" /etc/security/limits.conf +You should receive output similar to the following: +*\t\thard\tmaxlogins\t + Is it the case that maxlogins is not equal to or less than the expected value? + + + + To ensure the user home directory is not group-writable or world-readable, run the following: +# ls -ld /home/USER + Is it the case that the user home directory is group-writable or world-readable? + + + + Check if the system is configured to create home directories for local interactive users with the following command: + +$ sudo grep create_home /etc/login.defs + + Is it the case that the value of CREATE_HOME is not set to yes, is missing, or the line is commented out? + + + + Run the following command to ensure that /var/tmp is configured as a +polyinstantiated directory: +$ sudo grep /var/tmp /etc/security/namespace.conf +The output should return the following: +/var/tmp /var/tmp/tmp-inst/ level root,adm + Is it the case that is not configured? + + + + Run the following command to ensure the TMOUT value is configured for all users +on the system: + +$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh + +The output should return the following: +TMOUT= + Is it the case that value of TMOUT is not less than or equal to expected setting? + + + + To ensure write permissions are disabled for group and other + for each element in root's path, run the following command: +# ls -ld DIR + Is it the case that group or other write permissions exist? + + + + Verify the UMASK setting is configured correctly in the /etc/login.defs file by +running the following command: +# grep -i "UMASK" /etc/login.defs +All output must show the value of umask set as shown in the below: +# grep -i "UMASK" /etc/login.defs +umask + Is it the case that the above command returns no output, or if the umask is configured incorrectly? + + + + Verify the umask setting is configured correctly in the /etc/profile file by +running the following command: +# grep "umask" /etc/profile +All output must show the value of umask set as shown in the below: +# grep "umask" /etc/profile +umask + Is it the case that the above command returns no output, or if the umask is configured incorrectly? + + + + Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins + Is it the case that the package is not installed? + + + + + Is it the case that the package is not installed? + + + + + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +auditd service: +$ systemctl is-active auditd +If the service is running, it should return the following: active + Is it the case that ? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If they include audit=1, then auditing +is enabled at boot time. + +To ensure audit_backlog_limit=8192 is configured on all installed kernels, the +following command may be used: + +$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192" + + Is it the case that audit backlog limit is not configured? + + + + +Inspect the form of default GRUB 2 command line for the Linux operating system +in /boot/grub2/grubenv. If they include audit=1, then auditing +is enabled at boot time. +# grep 'kernelopts.*audit=1.*' /boot/grub2/grubenv + +To ensure audit=1 is configured on all installed kernels, the +following command may be used: + +# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" + + Is it the case that auditing is not enabled at boot time? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify that auditing is configured for system administrator actions, run the following command: +$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d" + Is it the case that there is not output? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit account changes, +run the following command: + +auditctl -l | egrep '(/etc/shadow)' + +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + To determine if the system is configured to audit accesses to +/var/log/audit directory, run the following command: +preserve$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + + + + To determine if the system is configured to audit account changes, +run the following command: + +auditctl -l | egrep '(/etc/group)' + +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + +To properly set the owner of /var/log/audit, run the command: +$ sudo chown root /var/log/audit + +To properly set the owner of /var/log/audit/*, run the command: +$ sudo chown root /var/log/audit/* + Is it the case that ? + + + + To determine if the system is configured to audit changes to its network configuration, +run the following command: +auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)' +If the system is configured to watch for network configuration changes, a line should be returned for +each file specified (and perm=wa should be indicated for each). + Is it the case that the system is not configured to audit changes of the network configuration? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify that auditing is configured for all media exportation events, run the following command: +$ sudo auditctl -l | grep syscall | grep mount + Is it the case that there is no output? + + + + To determine if the system is configured to audit account changes, +run the following command: + +auditctl -l | egrep '(/etc/security/opasswd)' + +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + Run the following command to check the mode of the system audit logs: +$ sudo ls -ld /var/log/audit +Audit log directories must be mode 0700 or less permissive. + Is it the case that any are more permissive? + + + + To determine if the system is configured to audit account changes, +run the following command: + +auditctl -l | egrep '(/etc/passwd)' + +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + To determine if the system is configured to audit account changes, +run the following command: +auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit account changes, +run the following command: + +auditctl -l | egrep '(/etc/gshadow)' + +If the system is configured to watch for account changes, lines should be returned for +each file specified (and with perm=wa for each). + Is it the case that the system is not configured to audit account changes? + + + + Run the following command to check the mode of the system audit logs: +$ sudo ls -l /var/log/audit +Audit logs must be mode 0640 or less permissive. + Is it the case that any are more permissive? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit changes to its SELinux +configuration files, run the following command: +$ sudo auditctl -l | grep "dir=/etc/selinux" +If the system is configured to watch for changes to its SELinux +configuration, a line should be returned (including +perm=wa indicating permissions that are watched). + Is it the case that the system is not configured to audit attempts to change the MAC policy? + + + + To determine if the system is configured to audit successful calls +to the ftruncate system call, run the following command: +preserve$ sudo grep "ftruncate" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the lsetxattr system call, run the following command: +preserve$ sudo grep "lsetxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +preserve$ sudo grep "lsetxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +truncate system call, run the following command: +preserve$ sudo grep "truncate" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the fchmod system call, run the following command: +preserve$ sudo grep "fchmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the creat system call, run the following command: +preserve$ sudo grep "creat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the fremovexattr system call, run the following command: +preserve$ sudo grep "fremovexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +preserve$ sudo grep "setxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the chown system call, run the following command: +preserve$ sudo grep "chown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchownat system call, run the following command: +preserve$ sudo grep "fchownat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +preserve$ sudo grep "chmod" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +preserve$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +preserve$ sudo grep "unlink" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the rename system call, run the following command: +preserve$ sudo grep "rename" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +chown system call, run the following command: +preserve$ sudo grep "chown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the unlinkat system call, run the following command: +preserve$ sudo grep "unlinkat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the setxattr system call, run the following command: +preserve$ sudo grep "setxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the lchown system call, run the following command: +preserve$ sudo grep "lchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +ftruncate system call, run the following command: +preserve$ sudo grep "ftruncate" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +preserve$ sudo grep "removexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the truncate system call, run the following command: +preserve$ sudo grep "truncate" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +preserve$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +preserve$ sudo grep "fchmod" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the unlink system call, run the following command: +preserve$ sudo grep "unlink" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +lchown system call, run the following command: +preserve$ sudo grep "lchown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the fchmodat system call, run the following command: +preserve$ sudo grep "fchmodat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the fsetxattr system call, run the following command: +preserve$ sudo grep "fsetxattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +preserve$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +openat system call, run the following command: +preserve$ sudo grep "openat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open system call, run the following command: +preserve$ sudo grep "open" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the fchownat system call, run the following command: +preserve$ sudo grep "fchownat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the open system call, run the following command: +preserve$ sudo grep "open" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the renameat system call, run the following command: +preserve$ sudo grep "renameat" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +preserve$ sudo grep "fremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchown system call, run the following command: +preserve$ sudo grep "fchown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +open_by_handle_at system call, run the following command: +preserve$ sudo grep "open_by_handle_at" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +lremovexattr system call, run the following command: +preserve$ sudo grep "lremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the chmod system call, run the following command: +preserve$ sudo grep "chmod" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the removexattr system call, run the following command: +preserve$ sudo grep "removexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +preserve$ sudo grep "fsetxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +creat system call, run the following command: +preserve$ sudo grep "creat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit successful calls +to the fchown system call, run the following command: +preserve$ sudo grep "fchown" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +preserve$ sudo grep "fchmodat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify that the audit system collects unauthorized file accesses, run the following commands: +$ sudo grep EACCES /etc/audit/audit.rules +$ sudo grep EPERM /etc/audit/audit.rules + Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM? + + + + To determine if the system is configured to audit successful calls +to the lremovexattr system call, run the following command: +preserve$ sudo grep "lremovexattr" /etc/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +rename system call, run the following command: +preserve$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +preserve$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +preserve$ sudo grep "rmdir" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +unlink system call, run the following command: +preserve$ sudo grep "unlink" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +preserve$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +rename system call, run the following command: +preserve$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +renameat system call, run the following command: +preserve$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +rmdir system call, run the following command: +preserve$ sudo grep "rmdir" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +unlink system call, run the following command: +preserve$ sudo grep "unlink" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +renameat system call, run the following command: +preserve$ sudo grep "renameat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +rename system call, run the following command: +preserve$ sudo grep "rename" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +unlinkat system call, run the following command: +preserve$ sudo grep "unlinkat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify that auditing is configured for system administrator actions, run the following command: +$ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock" + Is it the case that there is not output? + + + + To verify that auditing is configured for system administrator actions, run the following command: +$ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog" + Is it the case that there is not output? + + + + To verify that auditing is configured for system administrator actions, run the following command: +$ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog" + Is it the case that there is not output? + + + + If the system is not configured to audit time changes, this is a finding. +If the system is 64-bit only, this is not applicable +ocil: | +To determine if the system is configured to audit calls to the +stime system call, run the following command: +preserve$ sudo grep "stime" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +clock_settime system call, run the following command: +preserve$ sudo grep "clock_settime" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit attempts to +alter time via the /etc/localtime file, run the following +command: +$ sudo auditctl -l | grep "watch=/etc/localtime" +If the system is configured to audit this activity, it will return a line. + Is it the case that the system is not configured to audit time changes? + + + + To determine if the system is configured to audit calls to the +adjtimex system call, run the following command: +preserve$ sudo grep "adjtimex" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +settimeofday system call, run the following command: +preserve$ sudo grep "settimeofday" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command for each local partition PART to find relevant +setuid / setgid programs: +$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null +Run the following command to verify entries in the audit rules for all programs +found with the previous command: +$ sudo grep path /etc/audit/audit.rules +It should be the case that all relevant setuid / setgid programs have a line +in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To verify that auditing of privileged command use is configured, run the +following command: +$ sudo grep mount /etc/audit/audit.rules /etc/audit/rules.d/* +It should return a relevant line in the audit rules. + Is it the case that it is not the case? + + + + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +preserve$ sudo grep "init_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. +To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +preserve$ sudo grep "delete_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +delete_module system call, run the following command: +preserve$ sudo grep "delete_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +init_module system call, run the following command: +preserve$ sudo grep "init_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +finit_module system call, run the following command: +preserve$ sudo grep "finit_module" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: +-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? + + + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: + +-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? + + + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: +-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? + + + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: +-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? + + + + To verify that execution of the command is being audited, run the following command: +$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/* +The output should return something similar to: +-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged + Is it the case that ? + + + + To determine if the system is configured to audit calls to the +setxattr system call, run the following command: +preserve$ sudo grep "setxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fsetxattr system call, run the following command: +preserve$ sudo grep "fsetxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +umount2 system call, run the following command: +preserve$ sudo grep "umount2" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +removexattr system call, run the following command: +preserve$ sudo grep "removexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchmodat system call, run the following command: +preserve$ sudo grep "fchmodat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +lsetxattr system call, run the following command: +preserve$ sudo grep "lsetxattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchownat system call, run the following command: +preserve$ sudo grep "fchownat" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fremovexattr system call, run the following command: +preserve$ sudo grep "fremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +chmod system call, run the following command: +preserve$ sudo grep "chmod" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +umount system call, run the following command: +preserve$ sudo grep "umount" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +lremovexattr system call, run the following command: +preserve$ sudo grep "lremovexattr" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +lchown system call, run the following command: +preserve$ sudo grep "lchown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +chown system call, run the following command: +preserve$ sudo grep "chown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchmod system call, run the following command: +preserve$ sudo grep "fchmod" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To determine if the system is configured to audit calls to the +fchown system call, run the following command: +preserve$ sudo grep "fchown" /etc/audit/audit.* +If the system is configured to audit this activity, it will return a line. + + Is it the case that no line is returned? + + + + To verify the audispd plugin off-loads audit records onto a different system or +media from the system being audited, run the following command: + +$ sudo grep -i remote_server /etc/audit/audisp-remote.conf + +The output should return something similar to +remote_server = + Is it the case that audispd is not sending logs to a remote system? + + + + To verify the audispd plugin encrypts audit records off-loaded onto a different +system or media from the system being audited, run the following command: + +$ sudo grep -i transport /etc/audit/audisp-remote.conf +The output should return the following: +transport = KRB5 + Is it the case that audispd is not encrypting audit records when sent over the network? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to send email to an +account when it needs to notify an administrator: +action_mail_acct = + Is it the case that auditd is not configured to send emails per identified actions? + + + + To verify that Audit Daemon is configured to flush to disk after +every 50 records, run the following command: +$ sudo grep freq /etc/audit/auditd.conf +The output should return the following: +freq = 50 + Is it the case that freq isn't set to 50? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine how much data the system will retain in each audit log file: +$ sudo grep max_log_file /etc/audit/auditd.conf +max_log_file = 6 + Is it the case that the system audit data threshold has not been properly configured? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to either log to syslog, +switch to single-user mode, execute a script, +or halt when the disk is out of space: +disk_full_action single + Is it the case that the system is not configured to switch to single-user mode for corrective action? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to synchronize audit event data +with the log files on the disk: +$ sudo grep flush /etc/audit/auditd.conf +flush = DATA +Acceptable values are DATA, and SYNC. The setting is +case-insensitive. + Is it the case that auditd is not configured to synchronously write audit event data to disk? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to rotate logs when they reach their +maximum size: +$ sudo grep max_log_file_action /etc/audit/auditd.conf +max_log_file_action rotate + Is it the case that the system has not been properly configured to rotate audit logs? + + + + To verify that Audit Daemon is configured to record the hostname +in audit events, run the following command: +$ sudo grep name_format /etc/audit/auditd.conf +The output should return the following: +name_format = hostname + Is it the case that name_format isn't set to hostname? + + + + To verify that Audit Daemon is configured to resolve all uid, gid, syscall, +architecture, and socket address information before writing the event to disk, +run the following command: +$ sudo grep log_format /etc/audit/auditd.conf +The output should return the following: +log_format = ENRICHED + Is it the case that log_format isn't set to ENRICHED? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to email the administrator when +disk space is starting to run low: +$ sudo grep space_left_action /etc/audit/auditd.conf +space_left_action +Acceptable values are email, suspend, single, and halt. + Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to either log to syslog, +switch to single-user mode, execute a script, +or halt when the disk errors: +disk_error_action single + Is it the case that the system is not configured to switch to single-user mode for corrective action? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine how many logs the system is configured to retain after rotation: +$ sudo grep num_logs /etc/audit/auditd.conf +num_logs = 5 + Is it the case that the system log file retention has not been properly configured? + + + + To verify the audispd's syslog plugin is active, run the following command: + +$ sudo grep active /etc/audit/plugins.d/syslog.conf + +If the plugin is active, the output will show yes. + Is it the case that it is not activated? + + + + To verify that Audit Daemon is configured to write logs to the disk, run the +following command: +$ sudo grep write_logs /etc/audit/auditd.conf +The output should return the following: +write_logs = yes + Is it the case that write_logs isn't set to yes? + + + + Inspect /etc/audit/auditd.conf and locate the following line to +determine if the system is configured to either suspend, switch to single user mode, +or halt when disk space has run low: +admin_space_left_action single + Is it the case that the system is not configured to switch to single user mode for corrective action? + + + + To verify that Audit Daemon is configured to include local events, run the +following command: +$ sudo grep local_events /etc/audit/auditd.conf +The output should return the following: +local_events = yes + Is it the case that local_events isn't set to yes? + + + + +To check that the autofs service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled autofs +Output should indicate the autofs service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled autofs disabled + +Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active autofs + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the autofs is masked, run the following command: +$ systemctl show autofs | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that ? + + + + +If the system is configured to prevent the loading of the usb-storage kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +If the system is configured to prevent the loading of the cramfs kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + The runtime status of the kernel.core_pattern kernel parameter can be queried +by running the following command: +$ sysctl kernel.core_pattern +The output of the command should indicate a value of |/bin/false. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.core_pattern\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.core_pattern = |/bin/false +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.core_pattern = |/bin/false, and that one assignment +is returned when +$ grep -r kernel.core_pattern /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_event_paranoid +The output of the command should indicate a value of 2. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.perf_event_paranoid\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.perf_event_paranoid = 2 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.perf_event_paranoid = 2, and that one assignment +is returned when +$ grep -r kernel.perf_event_paranoid /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.modules_disabled kernel parameter can be queried +by running the following command: +$ sysctl kernel.modules_disabled +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.modules_disabled\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.modules_disabled = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.modules_disabled = 1, and that one assignment +is returned when +$ grep -r kernel.modules_disabled /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried +by running the following command: +$ sysctl kernel.kexec_load_disabled +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.kexec_load_disabled\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.kexec_load_disabled = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.kexec_load_disabled = 1, and that one assignment +is returned when +$ grep -r kernel.kexec_load_disabled /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried +by running the following command: +$ sysctl kernel.yama.ptrace_scope +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.yama.ptrace_scope\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.yama.ptrace_scope = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.yama.ptrace_scope = 1, and that one assignment +is returned when +$ grep -r kernel.yama.ptrace_scope /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the vm.mmap_min_addr kernel parameter can be queried +by running the following command: +$ sysctl vm.mmap_min_addr +The output of the command should indicate a value of 65536. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*vm.mmap_min_addr\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +vm.mmap_min_addr = 65536 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains vm.mmap_min_addr = 65536, and that one assignment +is returned when +$ grep -r vm.mmap_min_addr /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried +by running the following command: +$ sysctl net.core.bpf_jit_harden +The output of the command should indicate a value of 2. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.core.bpf_jit_harden\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.core.bpf_jit_harden = 2 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.core.bpf_jit_harden = 2, and that one assignment +is returned when +$ grep -r net.core.bpf_jit_harden /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the user.max_user_namespaces kernel parameter can be queried +by running the following command: +$ sysctl user.max_user_namespaces +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*user.max_user_namespaces\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +user.max_user_namespaces = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains user.max_user_namespaces = 0, and that one assignment +is returned when +$ grep -r user.max_user_namespaces /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.pid_max kernel parameter can be queried +by running the following command: +$ sysctl kernel.pid_max +The output of the command should indicate a value of 65536. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.pid_max\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.pid_max = 65536 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.pid_max = 65536, and that one assignment +is returned when +$ grep -r kernel.pid_max /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.dmesg_restrict kernel parameter can be queried +by running the following command: +$ sysctl kernel.dmesg_restrict +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.dmesg_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.dmesg_restrict = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.dmesg_restrict = 1, and that one assignment +is returned when +$ grep -r kernel.dmesg_restrict /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried +by running the following command: +$ sysctl kernel.unprivileged_bpf_disabled +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.unprivileged_bpf_disabled\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.unprivileged_bpf_disabled = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.unprivileged_bpf_disabled = 1, and that one assignment +is returned when +$ grep -r kernel.unprivileged_bpf_disabled /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.perf_event_max_sample_rate kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_event_max_sample_rate +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.perf_event_max_sample_rate\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.perf_event_max_sample_rate = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.perf_event_max_sample_rate = 1, and that one assignment +is returned when +$ grep -r kernel.perf_event_max_sample_rate /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.perf_cpu_time_max_percent kernel parameter can be queried +by running the following command: +$ sysctl kernel.perf_cpu_time_max_percent +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.perf_cpu_time_max_percent\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.perf_cpu_time_max_percent = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.perf_cpu_time_max_percent = 1, and that one assignment +is returned when +$ grep -r kernel.perf_cpu_time_max_percent /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.sysrq kernel parameter can be queried +by running the following command: +$ sysctl kernel.sysrq +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.sysrq\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.sysrq = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.sysrq = 0, and that one assignment +is returned when +$ grep -r kernel.sysrq /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If they include page_poison=1, +then page poisoning is enabled at boot time. + +To ensure page_poison=1 is configured on all installed kernels, the +following command may be used: + +$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1 + + Is it the case that page allocator poisoning is not enabled? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If they include slub_debug=P, +then SLUB/SLAB poisoning is enabled at boot time. + +To ensure slub_debug=P is configured on all installed kernels, the +following command may be used: + +$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P + + Is it the case that SLUB/SLAB poisoning is not enabled? + + + + To verify that acquiring, saving, and processing core dumps is disabled, run the +following command: +$ systemctl status systemd-coredump.socket +The output should be similar to: +● systemd-coredump.socket + Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) + Active: inactive (dead) ... + + Is it the case that unit systemd-coredump.socket is not masked or running? + + + + To verify that storing core dumps are disabled, run the following command: +$ grep Storage /etc/systemd/coredump.conf +The output should be: +Storage=none + Is it the case that Storage is not set to none? + + + + To verify that core dumps are disabled for all users, run the following command: +$ grep core /etc/security/limits.conf +The output should be: +* hard core 0 + Is it the case that it is not? + + + + To verify that logging core dump backtraces is disabled, run the +following command: +$ grep ProcessSizeMax /etc/systemd/coredump.conf +The output should be: +ProcessSizeMax=0 + Is it the case that ProcessSizeMax is not set to zero? + + + + The runtime status of the fs.suid_dumpable kernel parameter can be queried +by running the following command: +$ sysctl fs.suid_dumpable +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*fs.suid_dumpable\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +fs.suid_dumpable = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains fs.suid_dumpable = 0, and that one assignment +is returned when +$ grep -r fs.suid_dumpable /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the kernel.kptr_restrict kernel parameter can be queried +by running the following command: +$ sysctl kernel.kptr_restrict +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.kptr_restrict = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.kptr_restrict = 1, and that one assignment +is returned when +$ grep -r kernel.kptr_restrict /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 7 systems, +run the following command: +$ dmesg | grep '[NX|DX]*protection' +The output should not contain 'disabled by kernel command line option'. +To verify that ExecShield has not been disabled in the kernel configuration, +run the following command: +$ sudo grep noexec /boot/grub2/grub.cfg +The output should not return noexec=off. +For 32-bit Red Hat Enterprise Linux 7 systems, run the following command: +$ sysctl kernel.exec-shield +The output should be: +To set the runtime status of the kernel.exec-shield kernel parameter, +run the following command: +$ sudo sysctl -w kernel.exec-shield=1 + +To make sure that the setting is persistent, +add the following line to a file in the directory /etc/sysctl.d: +kernel.exec-shield = 1 + Is it the case that ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.? + + + + The runtime status of the kernel.randomize_va_space kernel parameter can be queried +by running the following command: +$ sysctl kernel.randomize_va_space +The output of the command should indicate a value of 2. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*kernel.randomize_va_space\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +kernel.randomize_va_space = 2 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains kernel.randomize_va_space = 2, and that one assignment +is returned when +$ grep -r kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + To check the value of the umask, run the following command: +$ grep umask /etc/init.d/functions +The output should show . + Is it the case that it does not? + + + + To check the permissions of /boot/Sysem.map-*, +run the command: +$ ls -l /boot/Sysem.map-* +If properly configured, the output should indicate the following permissions: +-rw------- + Is it the case that ? + + + + The following command will discover and print world-writable directories that +are not owned by a system account, given the assumption that only system +accounts have a uid lower than 500. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print + Is it the case that there is output? + + + + The following command will discover and print world-writable directories that +are not group owned by a system account, given the assumption that only system +accounts have a gid lower than 1000. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -gid +999 -print + Is it the case that there is output? + + + + To find world-writable files, run the following command: +$ sudo find / -xdev -type f -perm -002 + Is it the case that there is output? + + + + The following command will discover and print any +files on local partitions which do not belong to a valid user. +$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser + +Either remove all files and directories from the system that do not have a +valid user, or assign a valid user to all unowned files and directories on +the system with the chown command: +$ sudo chown user file + Is it the case that files exist that are not owned by a valid user? + + + + The runtime status of the fs.protected_hardlinks kernel parameter can be queried +by running the following command: +$ sysctl fs.protected_hardlinks +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*fs.protected_hardlinks\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +fs.protected_hardlinks = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains fs.protected_hardlinks = 1, and that one assignment +is returned when +$ grep -r fs.protected_hardlinks /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the fs.protected_symlinks kernel parameter can be queried +by running the following command: +$ sysctl fs.protected_symlinks +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*fs.protected_symlinks\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +fs.protected_symlinks = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains fs.protected_symlinks = 1, and that one assignment +is returned when +$ grep -r fs.protected_symlinks /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + To find SGID files, run the following command: +$ sudo find / -xdev -type f -perm -2000 + Is it the case that there is output? + + + + The following command will discover and print any +files on local partitions which do not belong to a valid group. +$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup + +Either remove all files and directories from the system that do not have a valid group, +or assign a valid group with the chgrp command: +$ sudo chgrp group file + Is it the case that there is output? + + + + The following command will discover and print world-writable directories that +are not owned by root. Run it once for each local partition PART: +$ sudo find PART -xdev -type d -perm -0002 -uid +0 -print + Is it the case that there is output? + + + + To find SUID files, run the following command: +$ sudo find / -xdev -type f -perm -4000 + Is it the case that only authorized files appear in the output of the find command? + + + + To find world-writable directories that lack the sticky bit, run the following command: +$ sudo find / -xdev -type d -perm 002 ! -perm 1000 + Is it the case that any world-writable directories are missing the sticky bit? + + + + Shared libraries are stored in the following directories: +/lib +/lib64 +/usr/lib +/usr/lib64 + +To find shared libraries that are group-writable or world-writable, +run the following command for each directory DIR which contains shared libraries: +$ sudo find -L DIR -perm /022 -type d + Is it the case that any of these files are group-writable or world-writable? + + + + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/libexec +/usr/local/bin +/usr/local/sbin +/usr/sbin +To find system executables that are group-writable or world-writable, +run the following command for each directory DIR which contains system executables: +$ sudo find -L DIR -perm /022 -type f + Is it the case that any system executables are found to be group or world writable? + + + + Shared libraries are stored in the following directories: +/lib +/lib64 +/usr/lib +/usr/lib64 + +To find shared libraries that are group-writable or world-writable, +run the following command for each directory DIR which contains shared libraries: +$ sudo find -L DIR -perm /022 -type f + Is it the case that any of these files are group-writable or world-writable? + + + + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/libexec +/usr/local/bin +/usr/local/sbin +/usr/sbin +To find system executables that are not owned by root, +run the following command for each directory DIR which contains system executables: +$ sudo find DIR/ \! -user root + Is it the case that any system executables are found to not be owned by root? + + + + Shared libraries are stored in the following directories: +/lib +/lib64 +/usr/lib +/usr/lib64 +For each of these directories, run the following command to find files not +owned by root: +$ sudo find -L $DIR ! -user root -exec chown root {} \; + Is it the case that any of these files are not owned by root? + + + + To check the group ownership of /var/log, +run the command: +$ ls -lL /var/log +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /var/log has group owner root? + + + + To check the ownership of /var/log, +run the command: +$ ls -lL /var/log +If properly configured, the output should indicate the following owner: +root + Is it the case that /var/log has owner root? + + + + To check the group ownership of /var/log/messages, +run the command: +$ ls -lL /var/log/messages +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /var/log/messages has group owner root? + + + + To check the permissions of /var/log/messages, +run the command: +$ ls -l /var/log/messages +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /var/log/messages has unix mode -rw-r-----? + + + + To check the permissions of /var/log, +run the command: +$ ls -l /var/log +If properly configured, the output should indicate the following permissions: +drwxr-xr-x + Is it the case that /var/log has unix mode drwxr-xr-x? + + + + To check the ownership of /var/log/messages, +run the command: +$ ls -lL /var/log/messages +If properly configured, the output should indicate the following owner: +root + Is it the case that /var/log/messages has owner root? + + + + To check the ownership of /etc/group-, +run the command: +$ ls -lL /etc/group- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/group- has owner root? + + + + To check the group ownership of /etc/gshadow-, +run the command: +$ ls -lL /etc/gshadow- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/gshadow- has group owner root? + + + + To check the group ownership of /etc/passwd, +run the command: +$ ls -lL /etc/passwd +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/passwd has group owner root? + + + + To check the group ownership of /etc/gshadow, +run the command: +$ ls -lL /etc/gshadow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/gshadow has group owner root? + + + + To check the permissions of /etc/passwd, +run the command: +$ ls -l /etc/passwd +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/passwd has unix mode -rw-r--r--? + + + + To check the permissions of /etc/shadow, +run the command: +$ ls -l /etc/shadow +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/shadow has unix mode ----------? + + + + To check the group ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/group has group owner root? + + + + To check the ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/group has owner root? + + + + To check the permissions of /etc/shadow-, +run the command: +$ ls -l /etc/shadow- +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/shadow- has unix mode ----------? + + + + To check the permissions of /etc/passwd, +run the command: +$ ls -l /etc/passwd +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/group has unix mode -rw-r--r--? + + + + To check the group ownership of /etc/group, +run the command: +$ ls -lL /etc/group +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/group- has group owner root? + + + + To check the ownership of /etc/shadow-, +run the command: +$ ls -lL /etc/shadow- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/shadow- has owner root? + + + + To check the ownership of /etc/passwd, +run the command: +$ ls -lL /etc/passwd +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/passwd has owner root? + + + + To check the group ownership of /etc/shadow-, +run the command: +$ ls -lL /etc/shadow- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/shadow- has group owner root? + + + + To check the permissions of /etc/passwd-, +run the command: +$ ls -l /etc/passwd- +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/passwd- has unix mode -rw-r--r--? + + + + To check the ownership of /etc/gshadow-, +run the command: +$ ls -lL /etc/gshadow- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/gshadow- has owner root? + + + + To check the ownership of /etc/gshadow, +run the command: +$ ls -lL /etc/gshadow +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/gshadow has owner root? + + + + To check the permissions of /etc/passwd, +run the command: +$ ls -l /etc/passwd +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/group- has unix mode -rw-r--r--? + + + + To check the permissions of /etc/gshadow, +run the command: +$ ls -l /etc/gshadow +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/gshadow has unix mode ----------? + + + + To check the group ownership of /etc/shadow, +run the command: +$ ls -lL /etc/shadow +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/shadow has group owner root? + + + + To check the ownership of /etc/passwd-, +run the command: +$ ls -lL /etc/passwd- +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/passwd- has owner root? + + + + To check the group ownership of /etc/passwd-, +run the command: +$ ls -lL /etc/passwd- +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /etc/passwd- has group owner root? + + + + To check the permissions of /etc/gshadow-, +run the command: +$ ls -l /etc/gshadow- +If properly configured, the output should indicate the following permissions: +---------- + Is it the case that /etc/gshadow- has unix mode ----------? + + + + To check the ownership of /etc/shadow, +run the command: +$ ls -lL /etc/shadow +If properly configured, the output should indicate the following owner: +root + Is it the case that /etc/shadow has owner root? + + + + To verify the nodev option is configured for the /dev/shm mount point, run the following command: + $ mount | grep '\s/dev/shm\s' + The output should show the corresponding mount point along with the nodev setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify that binaries cannot be directly executed from removable media, run the following command: +$ grep -v noexec /etc/fstab +The resulting output will show partitions which do not have the noexec flag. Verify all partitions +in the output are not removable media. + Is it the case that removable media partitions are present? + + + + To verify the noexec option is configured for the /var/log mount point, run the following command: + $ mount | grep '\s/var/log\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nodev option is configured for the /tmp mount point, run the following command: + $ mount | grep '\s/tmp\s' + The output should show the corresponding mount point along with the nodev setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nodev option is configured for non-root local partitions, run the following command: +$ mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' +The output shows local non-root partitions mounted without the nodev option, and there should be no output at all. + + Is it the case that some mounts appear among output lines? + + + + To verify the nodev option is configured for the /var/log/audit mount point, run the following command: + $ mount | grep '\s/var/log/audit\s' + The output should show the corresponding mount point along with the nodev setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noauto option is configured for the /boot mount point, run the following command: + $ mount | grep '\s/boot\s' + The output should show the corresponding mount point along with the noauto setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /opt mount point, run the following command: + $ mount | grep '\s/opt\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /boot mount point, run the following command: + $ mount | grep '\s/boot\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /tmp mount point, run the following command: + $ mount | grep '\s/tmp\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noexec option is configured for the /var/log/audit mount point, run the following command: + $ mount | grep '\s/var/log/audit\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /dev/shm mount point, run the following command: + $ mount | grep '\s/dev/shm\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noexec option is configured for the /tmp mount point, run the following command: + $ mount | grep '\s/tmp\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /var mount point, run the following command: + $ mount | grep '\s/var\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nodev option is configured for the /var/log mount point, run the following command: + $ mount | grep '\s/var/log\s' + The output should show the corresponding mount point along with the nodev setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nodev option is configured for the /var mount point, run the following command: + $ mount | grep '\s/var\s' + The output should show the corresponding mount point along with the nodev setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noexec option is configured for the /boot mount point, run the following command: + $ mount | grep '\s/boot\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noexec option is configured for the /home mount point, run the following command: + $ mount | grep '\s/home\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noexec option is configured for the /var mount point, run the following command: + $ mount | grep '\s/var\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nodev option is configured for the /boot mount point, run the following command: + $ mount | grep '\s/boot\s' + The output should show the corresponding mount point along with the nodev setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /srv mount point, run the following command: + $ mount | grep '\s/srv\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the noexec option is configured for the /dev/shm mount point, run the following command: + $ mount | grep '\s/dev/shm\s' + The output should show the corresponding mount point along with the noexec setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /var/log mount point, run the following command: + $ mount | grep '\s/var/log\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + To verify the nosuid option is configured for the /var/log/audit mount point, run the following command: + $ mount | grep '\s/var/log/audit\s' + The output should show the corresponding mount point along with the nosuid setting in parentheses. + + Is it the case that the is not present in the output line, or there is no output line at all? + + + + Run the following command to determine if the rsyslog-gnutls package is installed: $ rpm -q rsyslog-gnutls + Is it the case that the package is not installed? + + + + Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +rsyslog service: +$ systemctl is-active rsyslog +If the service is running, it should return the following: active + Is it the case that ? + + + + Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +syslog-ng service: +$ systemctl is-active syslog-ng +If the service is running, it should return the following: active + Is it the case that ? + + + + Display the contents of the configuration file: +cat /etc/rsyslog.conf +Make sure that the following lines are not present in the output: +$ModLoad imtcp +$InputTCPServerRun port +$ModLoad imudp +$UDPServerRun port +$ModLoad imrelp +$InputRELPServerRun port + Is it the case that rsyslog accepts remote messages? + + + + To determine the status and frequency of logrotate, run the following command: +$ sudo grep logrotate /var/log/cron* +If logrotate is configured properly, output should include references to +/etc/cron.daily. + Is it the case that logrotate is not configured to run daily? + + + + To verify that rsyslog's Forwarding Output Module is configured +to use TLS for logging to remote server, run the following command: +$ grep omfwd /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should include record similar to +action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" + StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on") + +where the <remote system> present in the configuration line above must be a valid IP address or a host name of the remote logging server. + Is it the case that omfwd is not configured with gtls and AuthMode? + + + + To ensure logs are sent to a remote host, examine the file +/etc/rsyslog.conf. +If using UDP, a line similar to the following should be present: + *.* @ +If using TCP, a line similar to the following should be present: + *.* @@ +If using RELP, a line similar to the following should be present: + *.* :omrelp: + Is it the case that none of these are present? + + + + To verify that rsyslog's Forwarding Output Module has CA certificate +configured for its TLS connections to remote server, run the following command: +$ grep DefaultNetstreamDriverCAFile /etc/rsyslog.conf /etc/rsyslog.d/*.conf +The output should include record similar to +global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem") +where the path to the CA file (/etc/pki/tls/cert.pem in case above) must point to the correct CA certificate. + Is it the case that CA certificate for rsyslog remote logging via TLS is not set? + + + + The owner of all log files written by rsyslog should be . +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +To see the owner of a given log file, run the following command: +$ ls -l LOGFILE + Is it the case that the owner is not correct? + + + + To verify that cron is logging to rsyslog, +run the following command: +grep -rni "cron\.\*" /etc/rsyslog.* +The output should return some similar to: +cron.* /var/log/cron + Is it the case that cron is not logging to rsyslog? + + + + The group-owner of all log files written by rsyslog should be . +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +To see the group-owner of a given log file, run the following command: +$ ls -l LOGFILE + Is it the case that the group-owner is not correct? + + + + The file permissions for all log files written by rsyslog should +be set to 600, or more restrictive. These log files are determined by the +second part of each Rule line in /etc/rsyslog.conf and typically +all appear in /var/log. To see the permissions of a given log +file, run the following command: +$ ls -l LOGFILE +The permissions should be 600, or more restrictive. + Is it the case that the permissions are not correct? + + + + To verify that Promiscuous mode of an interface is disabled, run the following command: +$ ip link | grep PROMISC +The output returned should not return any network device containing PROMISC. + Is it the case that any network device is in promiscuous mode? + + + + Using a non-privileged account, verify that users cannot modify or change +network settings with the nmcli command with the following command: +$ nmcli general permissions +The output should contain the following: +PERMISSION VALUE +org.freedesktop.NetworkManager.enable-disable-network auth +org.freedesktop.NetworkManager.enable-disable-wifi auth +org.freedesktop.NetworkManager.enable-disable-wwan auth +org.freedesktop.NetworkManager.enable-disable-wimax auth +org.freedesktop.NetworkManager.sleep-wake auth +org.freedesktop.NetworkManager.network-control auth +org.freedesktop.NetworkManager.wifi.share.protected auth +org.freedesktop.NetworkManager.wifi.share.open auth +org.freedesktop.NetworkManager.settings.modify.system auth +org.freedesktop.NetworkManager.settings.modify.own auth +org.freedesktop.NetworkManager.settings.modify.hostname auth +org.freedesktop.NetworkManager.settings.modify.global-dns auth +org.freedesktop.NetworkManager.reload auth +org.freedesktop.NetworkManager.checkpoint-rollback auth +org.freedesktop.NetworkManager.enable-disable-statistics auth +org.freedesktop.NetworkManager.enable-disable-connectivity-check auth +org.freedesktop.NetworkManager.wifi.scan auth + + Is it the case that non-privileged users can modify or change network settings? + + + + +If the system is configured to prevent the loading of the rds kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r rds /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +If the system is configured to prevent the loading of the firewire-core kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +If the system is configured to prevent the loading of the tipc kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +If the system is configured to prevent the loading of the dccp kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +If the system is configured to prevent the loading of the atm kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r atm /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +If the system is configured to prevent the loading of the can kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r can /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + +To check that the bluetooth service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled bluetooth +Output should indicate the bluetooth service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled bluetooth disabled + +Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active bluetooth + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the bluetooth is masked, run the following command: +$ systemctl show bluetooth | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that ? + + + + +If the system is configured to prevent the loading of the bluetooth kernel module, +it will contain lines inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. +These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. +Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: +$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d + Is it the case that no line is returned? + + + + Verify that there are no wireless interfaces configured on the system +with the following command: + +$ sudo nmcli device +The output should contain the following: +wifi disconnected + Is it the case that it is not? + + + + Run the following command to determine if the iptables package is installed: $ rpm -q iptables + Is it the case that the package is not installed? + + + + Inspect the file /etc/sysconfig/iptables to determine +the default policy for the INPUT chain. It should be set to DROP: +$ sudo grep ":INPUT" /etc/sysconfig/iptables + Is it the case that the default policy for the INPUT chain is not set to DROP? + + + + Run the following command to ensure the default FORWARD policy is DROP: +grep ":FORWARD" /etc/sysconfig/iptables +The output should be similar to the following: +$ sudo grep ":FORWARD" /etc/sysconfig/iptables +:FORWARD DROP [0:0 + Is it the case that the default policy for the FORWARD chain is not set to DROP? + + + + If IPv6 is disabled, this is not applicable. + + + +Run the following command to determine the current status of the +ip6tables service: +$ systemctl is-active ip6tables +If the service is running, it should return the following: active + Is it the case that ? + + + + + +Run the following command to determine the current status of the +iptables service: +$ systemctl is-active iptables +If the service is running, it should return the following: active + Is it the case that ? + + + + If IPv6 is disabled, this is not applicable. + +Inspect the file /etc/sysconfig/ip6tables to determine +the default policy for the INPUT chain. It should be set to DROP: +$ sudo grep ":INPUT" /etc/sysconfig/ip6tables + Is it the case that the default policy for the INPUT chain is not set to DROP? + + + + Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan + Is it the case that the package is not installed? + + + + To check for configured IPsec connections (conn), perform the following: +grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ +Verify any returned results for organizational approval. + Is it the case that the IPSec tunnels are not approved? + + + + + +Run the following command to determine the current status of the +firewalld service: +$ systemctl is-active firewalld +If the service is running, it should return the following: active + Is it the case that ? + + + + Inspect the file /etc/firewalld/firewalld.conf to determine +the default zone for the firewalld. It should be set to DefaultZone=drop: +$ sudo grep DefaultZone /etc/firewalld/firewalld.conf + Is it the case that the default zone is not set to DROP? + + + + The runtime status of the net.ipv4.ip_forward kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.ip_forward +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.ip_forward\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.ip_forward = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.ip_forward = 0, and that one assignment +is returned when +$ grep -r net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d +is executed. +The ability to forward packets is only appropriate for routers. + Is it the case that ? + + + + The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.send_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.all.send_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.all.send_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.all.send_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.send_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.default.send_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.default.send_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.default.send_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.default.send_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.accept_source_route +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.all.accept_source_route = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.all.accept_source_route = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.icmp_ignore_bogus_error_responses +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.icmp_ignore_bogus_error_responses\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.icmp_ignore_bogus_error_responses = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.icmp_ignore_bogus_error_responses = 1, and that one assignment +is returned when +$ grep -r net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.rp_filter +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.default.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.default.rp_filter = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.default.rp_filter = 1, and that one assignment +is returned when +$ grep -r net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.log_martians +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.log_martians\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.all.log_martians = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.all.log_martians = 1, and that one assignment +is returned when +$ grep -r net.ipv4.conf.all.log_martians /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.log_martians +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.default.log_martians\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.default.log_martians = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.default.log_martians = 1, and that one assignment +is returned when +$ grep -r net.ipv4.conf.default.log_martians /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.accept_source_route +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.default.accept_source_route\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.default.accept_source_route = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.default.accept_source_route = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.accept_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.all.accept_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.all.accept_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.all.accept_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.accept_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.default.accept_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.default.accept_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.ip_local_port_range kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.ip_local_port_range +The output of the command should indicate a value of 32768 65535. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.ip_local_port_range\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.ip_local_port_range = 32768 65535 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.ip_local_port_range = 32768 65535, and that one assignment +is returned when +$ grep -r net.ipv4.ip_local_port_range /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.default.secure_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.default.secure_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.default.secure_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.default.secure_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.default.secure_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.icmp_echo_ignore_broadcasts +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.icmp_echo_ignore_broadcasts\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.icmp_echo_ignore_broadcasts = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.icmp_echo_ignore_broadcasts = 1, and that one assignment +is returned when +$ grep -r net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.tcp_syncookies +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.tcp_syncookies\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.tcp_syncookies = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.tcp_syncookies = 1, and that one assignment +is returned when +$ grep -r net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.all.rp_filter kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.rp_filter +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.all.rp_filter = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.all.rp_filter = 1, and that one assignment +is returned when +$ grep -r net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv4.conf.all.secure_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv4.conf.all.secure_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv4.conf.all.secure_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv4.conf.all.secure_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv4.conf.all.secure_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + If the system uses IPv6, this is not applicable. + +If the system is configured to disable the +ipv6 kernel module, it will contain a line +of the form: +options ipv6 disable=1 +Such lines may be inside any file in /etc/modprobe.d or the +deprecated/etc/modprobe.conf. This permits insertion of the IPv6 +kernel module (which other parts of the system expect to be present), but +otherwise keeps it inactive. Run the following command to search for such +lines in all files in /etc/modprobe.d and the deprecated +/etc/modprobe.conf: +preserve$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d + Is it the case that the ipv6 kernel module is not disabled? + + + + If the system uses IPv6, this is not applicable. + +If the system is configured to prevent the usage of the ipv6 on +network interfaces, it will contain a line of the form: +net.ipv6.conf.all.disable_ipv6 = 1 +Such lines may be inside any file in the /etc/sysctl.d directory. +This permits insertion of the IPv6 kernel module (which other parts of the +system expect to be present), but otherwise keeps all network interfaces +from using IPv6. Run the following command to search for such lines in all +files in /etc/sysctl.d: +$ grep -r ipv6 /etc/sysctl.d + Is it the case that the ipv6 support is disabled on network interfaces? + + + + +Inspect the form of default GRUB2 command line for the Linux operating system +in /boot/grub2/grubenv. Check if it includes ipv6.disable=1. +sudo grep 'kernelopts.*ipv6.disable=1.*' /boot/grub2/grubenv + +To ensure ipv6.disable=1 is configured on all installed kernels, the +following command may be used: + +sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1" + + Is it the case that IPv6 is not disabled? + + + + The runtime status of the net.ipv6.conf.all.max_addresses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.max_addresses +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.all.max_addresses\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.all.max_addresses = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.all.max_addresses = 1, and that one assignment +is returned when +$ grep -r net.ipv6.conf.all.max_addresses /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_rtr_pref +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.all.accept_ra_rtr_pref\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.all.accept_ra_rtr_pref = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.all.accept_ra_rtr_pref = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.all.accept_ra_rtr_pref /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_pinfo +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.accept_ra_pinfo\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.accept_ra_pinfo = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.accept_ra_pinfo = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.accept_ra_pinfo /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.accept_ra\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.accept_ra = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.accept_ra = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.accept_ra /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.router_solicitations +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.router_solicitations\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.router_solicitations = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.router_solicitations = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.router_solicitations /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.all.autoconf kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.autoconf +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.all.autoconf\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.all.autoconf = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.all.autoconf = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.all.autoconf /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.router_solicitations +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.all.router_solicitations\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.all.router_solicitations = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.all.router_solicitations = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.all.router_solicitations /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_defrtr +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.accept_ra_defrtr\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.accept_ra_defrtr = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.accept_ra_defrtr = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.accept_ra_defrtr /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_defrtr +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.all.accept_ra_defrtr\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.all.accept_ra_defrtr = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.all.accept_ra_defrtr = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.all.accept_ra_defrtr /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.autoconf kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.autoconf +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.autoconf\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.autoconf = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.autoconf = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.autoconf /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_ra_rtr_pref +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.accept_ra_rtr_pref\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.accept_ra_rtr_pref = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.accept_ra_rtr_pref /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.all.accept_ra_pinfo +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.all.accept_ra_pinfo\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.all.accept_ra_pinfo = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.all.accept_ra_pinfo = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.all.accept_ra_pinfo /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.max_addresses kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.max_addresses +The output of the command should indicate a value of 1. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.max_addresses\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.max_addresses = 1 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.max_addresses = 1, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.max_addresses /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried +by running the following command: +$ sysctl net.ipv6.conf.default.accept_redirects +The output of the command should indicate a value of 0. +The preferable way how to assure the runtime compliance is to have +correct persistent configuration, and rebooting the system. + +The persistent kernel parameter configuration is performed by specifying the appropriate +assignment in any file located in the /etc/sysctl.d directory. +Verify that there is not any existing incorrect configuration by executing the following command: +$ grep -r '^\s*net.ipv6.conf.default.accept_redirects\s*=' /etc/sysctl.conf /etc/sysctl.d +If any assignments other than +net.ipv6.conf.default.accept_redirects = 0 +are found, or the correct assignment is duplicated, remove those offending lines from respective files, +and make sure that exactly one file in +/etc/sysctl.d contains net.ipv6.conf.default.accept_redirects = 0, and that one assignment +is returned when +$ grep -r net.ipv6.conf.default.accept_redirects /etc/sysctl.conf /etc/sysctl.d +is executed. + + Is it the case that the correct value is not returned? + + + + Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux + Is it the case that the package is not installed? + + + + Run the following command to determine if the policycoreutils package is installed: $ rpm -q policycoreutils + Is it the case that the package is not installed? + + + + Run the following command to determine if the setroubleshoot-plugins package is installed: +$ rpm -q setroubleshoot-plugins + Is it the case that the package is installed? + + + + Run the following command to determine if the setroubleshoot-server package is installed: +$ rpm -q setroubleshoot-server + Is it the case that the package is installed? + + + + Inspect /etc/default/grub for any instances of selinux=0 +in the kernel boot arguments. Presence of selinux=0 indicates +that SELinux is disabled at boot time. + Is it the case that SELinux is disabled at boot time? + + + + Check the file /etc/selinux/config and ensure the following line appears: +SELINUX= + Is it the case that SELINUX is not set to enforcing? + + + + Inspect /proc/cmdline for any instances of selinux=0 +in the kernel boot arguments. Presence of selinux=0 indicates +that SELinux is disabled at boot time. + +If it would be disabled anywhere, make sure to enable it via a +MachineConfig object. + Is it the case that SELinux is disabled at boot time? + + + + Ensure there are no unconfined daemons running on the system, +the following command should produce no output: +$ sudo ps -eZ | grep "unconfined_service_t" + Is it the case that There are unconfined daemons running on the system? + + + + Check the file /etc/selinux/config and ensure the following line appears: +SELINUXTYPE= + Is it the case that it does not? + + + + To check for incorrectly labeled device files, run following commands: +$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" +$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" +It should produce no output in a well-configured system. + Is it the case that there is output? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If they include vsyscall=none, +then virtyal syscalls are not enabled at boot time. + +To ensure vsyscall=none is configured on all installed kernels, the +following command may be used: + +$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none + + Is it the case that vsyscalls are enabled? + + + + Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If they include pti=on, +then Kernel page-table isolation is enabled at boot time. + +To ensure pti=on is configured on all installed kernels, the +following command may be used: + +$ sudo /sbin/grubby --update-kernel=ALL --args="pti=on + + Is it the case that Kernel page-table isolation is not enabled? + + + + To check the permissions of /boot/efi/EFI/fedora/grub.cfg, run the command: +$ sudo ls -lL /boot/efi/EFI/fedora/grub.cfg + +If properly configured, the output should indicate the following +permissions: -rwx------ + Is it the case that it does not? + + + + To verify the boot loader superuser password has been set, run the following +command: + +sudo grep "password" /etc/grub2-efi.cfg + +The output should show the following: +password_pbkdf2 superusers-account ${GRUB2_PASSWORD} +To verify the boot loader superuser account password has been set, +and the password encrypted, run the following command: + +sudo cat /boot/efi/EFI/redhat/user.cfg +The output should be similar to: +GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC +2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 +916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 +0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 + Is it the case that it does not? + + + + To check the ownership of /boot/efi/EFI/fedora/grub.cfg, +run the command: +$ ls -lL /boot/efi/EFI/fedora/grub.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that /boot/efi/EFI/fedora/grub.cfg has owner root? + + + + To verify the boot loader superuser account has been set, run the following +command: +sudo grep -A1 "superusers" /etc/grub2-efi.cfg +The output should show the following: +set superusers="superusers-account" +export superusers +where superusers-account is the actual account name different from common names like root, +admin, or administrator. + Is it the case that it does not? + + + + To check the group ownership of /boot/efi/EFI/fedora/grub.cfg, +run the command: +$ ls -lL /boot/efi/EFI/fedora/grub.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that /boot/efi/EFI/fedora/grub.cfg has group owner root? + + + + To verify the boot loader superuser password has been set, run the following +command: + +sudo grep "superusers" /etc/grub2.cfg + +The output should show the following: +password_pbkdf2 superusers-account ${GRUB2_PASSWORD} +To verify the boot loader superuser account password has been set, +and the password encrypted, run the following command: + +sudo cat /boot/grub2/user.cfg +The output should be similar to: +GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC +2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 +916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 +0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 + Is it the case that it does not? + + + + To check the group ownership of {{{ grub2_boot_path }}}/grub.cfg, +run the command: +$ ls -lL {{{ grub2_boot_path }}}/grub.cfg +If properly configured, the output should indicate the following group-owner: +root + Is it the case that {{{ grub2_boot_path }}}/grub.cfg has group owner root? + + + + To check the ownership of {{{ grub2_boot_path }}}/grub.cfg, +run the command: +$ ls -lL {{{ grub2_boot_path }}}/grub.cfg +If properly configured, the output should indicate the following owner: +root + Is it the case that {{{ grub2_boot_path }}}/grub.cfg has owner root? + + + + To check the permissions of /boot/grub2/grub.cfg, run the command: +$ sudo ls -lL /boot/grub2/grub.cfg +If properly configured, the output should indicate the following +permissions: -rw------- + Is it the case that it does not? + + + + To verify the boot loader superuser account has been set, run the following +command: +sudo grep -A1 "superusers" /etc/grub2.cfg +The output should show the following: +set superusers="superusers-account" +export superusers +where superusers-account is the actual account name different from common names like root, +admin, or administrator. + Is it the case that it does not? + + + + + +Run the following command to determine the current status of the +cron service: +$ systemctl is-active cron +If the service is running, it should return the following: active + Is it the case that ? + + + + + +Run the following command to determine the current status of the +crond service: +$ systemctl is-active crond +If the service is running, it should return the following: active + Is it the case that ? + + + + +To check that the atd service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled atd +Output should indicate the atd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled atd disabled + +Run the following command to verify atd is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active atd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the atd is masked, run the following command: +$ systemctl show atd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that ? + + + + Run the following command to determine if the cronie-anacron package is installed: +$ rpm -q cronie-anacron + Is it the case that the package is installed? + + + + Run the following command to determine if the sendmail package is installed: +$ rpm -q sendmail + Is it the case that the package is installed? + + + + Find the list of alias maps used by the Postfix mail server: +$ sudo postconf alias_maps +Query the Postfix alias maps for an alias for the root user: +$ sudo postmap -q root hash:/etc/aliases +The output should return an alias. + Is it the case that it is not? + + + + Run the following command to ensure postfix routes mail to this system: +$ grep relayhost /etc/postfix/main.cf +If properly configured, the output should show only . + Is it the case that it is not? + + + + Run the following command to determine if the net-snmp package is installed: +$ rpm -q net-snmp + Is it the case that the package is installed? + + + + To ensure there are no read-write users, run the following command: +$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser' +There should be no output. + Is it the case that there are users who can write to SNMP values? + + + + To ensure the default password is not set, run the following command: +$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private' +There should be no output. + Is it the case that the default SNMP passwords public and private have not been changed or removed? + + + + To ensure only SNMPv3 or newer is used, run the following command: +$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#" +There should be no output. + Is it the case that there is output? + + + + Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd + Is it the case that the package is not installed? + + + + Run the following command to determine if the nfs-utils package is installed: +$ rpm -q nfs-utils + Is it the case that the package is installed? + + + + +To check that the nfs-server service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled nfs-server +Output should indicate the nfs-server service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled nfs-server disabled + +Run the following command to verify nfs-server is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active nfs-server + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the nfs-server is masked, run the following command: +$ systemctl show nfs-server | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that it does not? + + + + +To check that the rpcsvcgssd service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled rpcsvcgssd +Output should indicate the rpcsvcgssd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled rpcsvcgssd disabled + +Run the following command to verify rpcsvcgssd is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active rpcsvcgssd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rpcsvcgssd is masked, run the following command: +$ systemctl show rpcsvcgssd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that ? + + + + Inspect the mounts configured in /etc/exports. Each mount should specify a value +greater than UID_MAX and GID_MAX as defined in /etc/login.defs. + Is it the case that anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)? + + + + To verify insecure file locking has been disabled, run the following command: +$ grep insecure_locks /etc/exports + Is it the case that there is output? + + + + To verify all squashing has been disabled, run the following command: +$ grep all_squash /etc/exports + Is it the case that there is output? + + + + To ensure the X Windows package group is removed, run the following command: +$ rpm -qi xorg-x11-server-common +The output should be: +package xorg-x11-server-common is not installed + Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? + + + + To verify the default target is multi-user, run the following command: +$ systemctl get-default +The output should show the following: +multi-user.target + Is it the case that the X windows display server is running and/or has not been disabled? + + + + Run the following command to see if there are some keytabs +that would potentially allow the use of Kerberos by system daemons. +$ ls -la /etc/*.keytab +The expected result is +ls: cannot access '/etc/*.keytab': No such file or directory + Is it the case that it is present on the system? + + + + Run the following command to determine if the vsftpd package is installed: +$ rpm -q vsftpd + Is it the case that the package is installed? + + + + If FTP services are not installed, this is not applicable. + +To verify this configuration, run the following command: + +grep "banner_file" /etc/vsftpd/vsftpd.conf + + +The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: + +$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf + +banner_file=/etc/issue + Is it the case that it does not? + + + + Find if logging is applied to the FTP daemon. + +Procedures: + +If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: +$ grep vsftpd /etc/xinetd.d/* +$ grep server_args vsftpd xinetd.d startup file +This will indicate the vsftpd config file used when starting through xinetd. +If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. +$ sudo grep xferlog_enable vsftpd config file + Is it the case that xferlog_enable is missing, or is not set to yes? + + + + Run the following command to determine if the chrony package is installed: +$ rpm -q chrony + Is it the case that the package is installed? + + + + + +Run the following command to determine the current status of the +chronyd service: +$ systemctl is-active chronyd +If the service is running, it should return the following: active + Is it the case that the chronyd process is not running? + + + + + +Run the following command to determine the current status of the +chronyd service: +$ systemctl is-active chronyd +If the service is running, it should return the following: active + + +Run the following command to determine the current status of the +ntpd service: +$ systemctl is-active ntpd +If the service is running, it should return the following: active + Is it the case that ? + + + + + +Run the following command to determine the current status of the +ntp service: +$ systemctl is-active ntp +If the service is running, it should return the following: active + Is it the case that ? + + + + + +Run the following command to determine the current status of the +ntpd service: +$ systemctl is-active ntpd +If the service is running, it should return the following: active + Is it the case that ? + + + + To verify that maxpoll has been set properly, perform the following: +$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf +The output should return +maxpoll . + Is it the case that it does not exist or maxpoll has not been set to the expected value? + + + + Run the following command and verify that -u chrony is included in OPTIONS: +# grep "^OPTIONS" /etc/sysconfig/chronyd +OPTIONS="-u chrony" + Is it the case that chronyd is not running under chrony user account? + + + + To verify that a remote NTP service is configured for time synchronization, +open the following file: +/etc/chrony.conf in the case the system in question is +configured to use the chronyd as the NTP daemon (default setting)/etc/ntp.conf in the case the system in question is configured +to use the ntpd as the NTP daemon +In the file, there should be a section similar to the following: +server ntpserver + Is it the case that this is not the case? + + + + Run the following command and verify output matches: +# grep "^restrict" /etc/ntp.conf + +restrict -4 default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +The -4 in the first line is optional and options after default can appear in any order. +Additional restriction lines may exist. + Is it the case that restrictions are not configured for ntpd? + + + + To verify that ntpd is configured to correctly run under the ntp user, +run the following commands: +$ sudo grep "^OPTIONS" /etc/sysconfig/ntpd +The output should contain +OPTIONS="-u ntp:ntp" +$ sudo grep "^ExecStart" /usr/lib/systemd/system/ntpd.service +The output should contain +ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS + Is it the case that ntpd is not running under ntp user account? + + + + To verify that cmdport has been set properly, perform the following: +$ grep '\bcmdport\b' /etc/chrony.conf +The output should return +cmdport 0 + Is it the case that it does not exist or port is set to non-zero value? + + + + To verify that a remote NTP service is configured for time synchronization, +open the following file: +/etc/ntp.conf +In the file, there should be a section similar to the following: +server ntpserver + Is it the case that this is not the case? + + + + To verify that port has been set properly, perform the following: +$ grep '\bport\b' /etc/chrony.conf +The output should return +port 0 + Is it the case that it does not exist or port is set to non-zero value? + + + + Run the following command and verify remote server is configured properly: +# grep -E "^(server|pool)" /etc/chrony.conf + Is it the case that a remote time server is not configured? + + + + Run the following command to determine if the openldap-clients package is installed: +$ rpm -q openldap-clients + Is it the case that the package is installed? + + + + +To check that the rsyncd service is disabled in system boot configuration, +run the following command: +$ systemctl is-enabled rsyncd +Output should indicate the rsyncd service has either not been installed, +or has been disabled at all runlevels, as shown in the example below: +$ systemctl is-enabled rsyncd disabled + +Run the following command to verify rsyncd is not active (i.e. not running) through current runtime configuration: +$ systemctl is-active rsyncd + +If the service is not running the command will return the following output: +inactive + +The service will also be masked, to check that the rsyncd is masked, run the following command: +$ systemctl show rsyncd | grep "LoadState\|UnitFileState" + +If the service is masked the command will return the following outputs: + +LoadState=masked + +UnitFileState=masked + Is it the case that the service is not disabled? + + + + The existence of the file /etc/hosts.equiv or a file named +.rhosts inside a user home directory indicates the presence +of an Rsh trust relationship. + Is it the case that these files exist? + + + + Run the following command to determine if the bind package is installed: +$ rpm -q bind + Is it the case that the package is installed? + + + + + +Run the following command to determine the current status of the +rngd service: +$ systemctl is-active rngd +If the service is running, it should return the following: active + Is it the case that the service is not enabled? + + + + Run the following command to determine if the sssd-ipa package is installed: $ rpm -q sssd-ipa + Is it the case that the package is not installed? + + + + To verify that SSSD's in-memory cache expires after a day, run the following command: +$ sudo grep memcache_timeout /etc/sssd/sssd.conf +If configured properly, output should be memcache_timeout = . + Is it the case that it does not exist or is not configured properly? + + + + To verify that SSSD expires known SSH host keys, run the following command: +$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf +If configured properly, output should be +ssh_known_hosts_timeout = + Is it the case that it does not exist or is not configured properly? + + + + To verify that SSSD is configured to run as user sssd, run the following command: +$ sudo grep -r '\buser\b' /etc/sssd +If configured properly, output should similar to /etc/sssd/conf.d/ospp.conf:user = sssd. +Sanity of SSSD configuration in general can be checked using $ sudo sssctl config-check + Is it the case that it does not exist or is not configured properly? + + + + To verify that smart cards are enabled in SSSD, run the following command: +$ sudo grep pam_cert_auth /etc/sssd/sssd.conf +If configured properly, output should be +pam_cert_auth = true + Is it the case that smart cards are not enabled in SSSD? + + + + To verify that SSSD expires offline credentials, run the following command: +$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf +If configured properly, output should be +offline_credentials_expiration = 1 + Is it the case that it does not exist or is not configured properly? + + + + Run the following command to determine if the usbguard package is installed: $ rpm -q usbguard + Is it the case that the package is not installed? + + + + + +Run the following command to determine the current status of the +usbguard service: +$ systemctl is-active usbguard +If the service is running, it should return the following: active + Is it the case that the service is not enabled? + + + + To verify that Linux Audit logging si enabled for the USBGuard daemon, +run the following command: +$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf +The output should be +AuditBackend=LinuxAudit + Is it the case that AuditBackend is not set to LinuxAudit? + + + + To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +The output lines should include +allow with-interface match-all { 03:*:* 09:00:* } + Is it the case that USB devices of class 3 and 9:00 are not authorized? + + + + To verify that USB Human Interface Devices will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +The output lines should include +allow with-interface match-all { 03:*:* } + Is it the case that USB devices of class 3 are not authorized? + + + + To verify that USB hubs will be authorized by the USBGuard daemon, +run the following command: +$ sudo grep allow /etc/usbguard/rules.conf +One of the output lines should be +allow with-interface match-all { 09:00:* } + Is it the case that USB devices of class 9 are not authorized? + + + + Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server + Is it the case that the package is not installed? + + + + Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server + Is it the case that the package is installed? + + + + To check the permissions of /etc/ssh/*.pub, +run the command: +$ ls -l /etc/ssh/*.pub +If properly configured, the output should indicate the following permissions: +-rw-r--r-- + Is it the case that /etc/ssh/*.pub has unix mode -rw-r--r--? + + + + To check the permissions of /etc/ssh/*_key, +run the command: +$ ls -l /etc/ssh/*_key +If properly configured, the output should indicate the following permissions: +-rw-r----- + Is it the case that /etc/ssh/*_key has unix mode -rw-r-----? + + + + To check if RekeyLimit is set correctly, run the +following command: +$ sudo grep RekeyLimit /etc/ssh/sshd_config +If configured properly, output should be +RekeyLimit + Is it the case that it is commented out or is not set? + + + + To check if GSSAPIAuthentication is disabled or set correctly, run the following +command: +$ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config +If configured properly, output should be no + Is it the case that it is commented out or is not disabled? + + + + To check if PrintLastLog is enabled or set correctly, run the +following command: +$ sudo grep PrintLastLog /etc/ssh/sshd_config +If configured properly, output should be yes + Is it the case that it is commented out or is not enabled? + + + + Run the following command to see what the timeout interval is: +$ sudo grep ClientAliveInterval /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveInterval + Is it the case that it is commented out or not configured properly? + + + + To check if LogLevel is enabled or set correctly, run the +following command: +$ sudo grep "^LogLevel" /etc/ssh/sshd_config +If configured properly, output should be LogLevel VERBOSE + Is it the case that it is commented out or is not enabled? + + + + To check if GSSAPIAuthentication is enabled or set correctly, run the following +command: +$ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config +If configured properly, output should be yes + Is it the case that it is commented out or is not enabled? + + + + To ensure the MaxAuthTries parameter is set, run the following command: +$ sudo grep MaxAuthTries /etc/ssh/sshd_config +If properly configured, output should be: +MaxAuthTries + Is it the case that it is commented out or not configured properly? + + + + To check if LogLevel is enabled or set correctly, run the +following command: +$ sudo grep "^LogLevel" /etc/ssh/sshd_config +If configured properly, output should be LogLevel INFO + Is it the case that it is commented out or is not enabled? + + + + To determine how the SSH daemon's X11Forwarding option is set, run the following command: +$ sudo grep -i X11Forwarding /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: +$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config + +If a line indicating prohibit-password is returned, then the required value is set. + Is it the case that it is commented out or not configured properly? + + + + To determine how the SSH daemon's PermitRootLogin option is set, run the following command: +$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config + +If a line indicating no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To ensure sshd limits the users who can log in, run the following: +$ sudo grep AllowUsers /etc/ssh/sshd_config +If properly configured, the output should be a list of usernames allowed to log in +to this system. + Is it the case that sshd does not limit the users who can log in? + + + + To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command: +$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value no is returned, then the required value is set. + Is it the case that The AllowTcpForwarding option exists and is disabled? + + + + To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: +$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To check which SSH protocol version is allowed, check version of openssh-server with following command: + +$ rpm -qi openssh-server | grep Version + +Versions equal to or higher than 7.4 only allow Protocol 2. +If version is lower than 7.4, run the following command to check configuration: +$ sudo grep Protocol /etc/ssh/sshd_config +If configured properly, output should be Protocol 2 + Is it the case that it is commented out or is not set correctly to Protocol 2? + + + + To determine how the SSH daemon's Banner option is set, run the following command: +$ sudo grep -i Banner /etc/ssh/sshd_config + +If a line indicating /etc/issue is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To check if compression is enabled or set correctly, run the +following command: +$ sudo grep Compression /etc/ssh/sshd_config +If configured properly, output should be no or delayed. + Is it the case that it is commented out, or is not set to no or delayed? + + + + To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: +$ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. + Is it the case that the display proxy is listening on wildcard address? + + + + To check if StrictModes is enabled or set correctly, run the +following command: +$ sudo grep StrictModes /etc/ssh/sshd_config +If configured properly, output should be yes + Is it the case that it is commented out or is not enabled? + + + + To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: +$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To check if KerberosAuthentication is disabled or set correctly, run the +following command: +$ sudo grep KerberosAuthentication /etc/ssh/sshd_config +If configured properly, output should be no + Is it the case that it is commented out or is not disabled? + + + + To check if UsePrivilegeSeparation is enabled or set correctly, run the +following command: +$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config +If configured properly, output should be . + Is it the case that it is commented out or is not enabled? + + + + To check which SSH protocol version is allowed, check version of +openssh-server with following command: +$ rpm -qi openssh-server | grep Version +Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. +If version is lower than 7.4, run the following command to check configuration: +To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command: +$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value no is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To ensure users are not able to send environment variables, run the following command: +$ sudo grep PermitUserEnvironment /etc/ssh/sshd_config +If properly configured, output should be: +PermitUserEnvironment no + Is it the case that PermitUserEnvironment is not disabled? + + + + To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: +$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config +If no line, a commented line, or a line indicating the value yes is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To ensure ClientAliveInterval is set correctly, run the following command: +$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveCountMax +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes an idle timeout precisely when +the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout +functionality completely. +If the option is set to a number greater than 0, then the idle session will be disconnected after +ClientAliveInterval * ClientAliveCountMax seconds. + Is it the case that it is commented out or not configured properly? + + + + To ensure ClientAliveInterval is set correctly, run the following command: +$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config +If properly configured, the output should be: +ClientAliveCountMax 0 + +In this case, the SSH idle timeout occurs precisely when +the ClientAliveInterval is set. + Is it the case that it is commented out or not configured properly? + + + + To determine how the SSH daemon's X11Forwarding option is set, run the following command: +$ sudo grep -i X11Forwarding /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + To check if PubkeyAuthentication is disabled or set correctly, run the following +command: +$ sudo grep PubkeyAuthentication /etc/ssh/sshd_config +If configured properly, output should be no + Is it the case that it is not disabled? + + + + To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command: +$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config + +If a line indicating yes is returned, then the required value is set. + + Is it the case that the required value is not set? + + + + Run the following command to see what the max sessions number is: +$ sudo grep MaxSessions /etc/ssh/sshd_config +If properly configured, the output should be: +MaxSessions + Is it the case that MaxSessions is not configured or not configured correctly? + + + + Run the following command to determine if the abrt package is installed: +$ rpm -q abrt + Is it the case that the package is installed? + + + + + + + + draft + Guide to the Secure Configuration of Fedora + This guide presents a catalog of security-relevant +configuration settings for Fedora. It is a rendering of +content structured in the eXtensible Configuration Checklist Description Format (XCCDF) +in order to support security automation. The SCAP content is +is available in the scap-security-guide package which is developed at + + https://www.open-scap.org/security-policies/scap-security-guide. + +Providing system administrators with such guidance informs them how to securely +configure systems under their control in a variety of network roles. Policy +makers and baseline creators can use this catalog of settings, with its +associated references to higher-level security control catalogs, in order to +assist them in security baseline creation. This guide is a catalog, not a +checklist, and satisfaction of every item is not likely to be possible or +sensible in many operational scenarios. However, the XCCDF format enables +granular selection and adjustment of settings, and their association with OVAL +and OCIL content provides an automated checking capability. Transformations of +this document, and its associated automated checking content, are capable of +providing baselines that meet a diverse set of policy objectives. Some example +XCCDF Profiles, which are selections of items that form checklists and +can be used as baselines, are available with this guide. They can be +processed, in an automated fashion, with tools that support the Security +Content Automation Protocol (SCAP). The DISA STIG, which provides required +settings for US Department of Defense systems, is one example of a baseline +created from this guidance. + + Do not attempt to implement any of the settings in +this guide without first testing them in a non-operational environment. The +creators of this guidance assume no responsibility whatsoever for its use by +other parties, and makes no guarantees, expressed or implied, about its +quality, reliability, or any other characteristic. + + The SCAP Security Guide Project + + https://www.open-scap.org/security-policies/scap-security-guide + + Red Hat and Red Hat Enterprise Linux are either registered +trademarks or trademarks of Red Hat, Inc. in the United States and other +countries. All other names are registered trademarks or trademarks of their +respective companies. + + + 0.1.56 + + SCAP Security Guide Project + SCAP Security Guide Project + Frank J Cameron (CAM1244) <cameron@ctc.com> + 0x66656c6978 <0x66656c6978@users.noreply.github.com> + Jack Adolph <jack.adolph@gmail.com> + Gabe Alford <redhatrises@gmail.com> + Firas AlShafei <firas.alshafei@us.abb.com> + Rodrigo Alvares <ralvares@redhat.com> + Christopher Anderson <cba@fedoraproject.org> + angystardust <angystardust@users.noreply.github.com> + anixon-rh <55244503+anixon-rh@users.noreply.github.com> + Chuck Atkins <chuck.atkins@kitware.com> + Ryan Ballanger <root@rballang-admin-2.fastenal.com> + Alex Baranowski <alex@euro-linux.com> + Molly Jo Bault <Molly.Jo.Bault@ballardtech.com> + Gabriel Becker <ggasparb@redhat.com> + Alexander Bergmann <abergmann@suse.com> + Dale Bewley <dale@bewley.net> + Jose Luis BG <bgjoseluis@gmail.com> + Joseph Bisch <joseph.bisch@gmail.com> + Jeffrey Blank <blank@eclipse.ncsc.mil> + Olivier Bonhomme <ptitoliv@ptitoliv.net> + Lance Bragstad <lbragstad@gmail.com> + Ted Brunell <tbrunell@redhat.com> + Blake Burkhart <blake.burkhart@us.af.mil> + Patrick Callahan <pmc@patrickcallahan.com> + George Campbell <gcampbell@palantir.com> + Nick Carboni <ncarboni@redhat.com> + James Cassell <james.cassell@ll.mit.edu> + Frank Caviggia <fcaviggi@ra.iad.redhat.com> + Eric Christensen <echriste@redhat.com> + Jayson Cofell <1051437+70k10@users.noreply.github.com> + Caleb Cooper <coopercd@ornl.gov> + Deric Crago <deric.crago@gmail.com> + Will Cushen <wcushen@redhat.com> + cyarbrough76 <42849651+cyarbrough76@users.noreply.github.com> + Maura Dailey <maura@eclipse.ncsc.mil> + Klaas Demter <demter@atix.de> + dhanushkar-wso2 <dhanushkar@wso2.com> + Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu> + dom <dominique.blaze@devinci.fr> + Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr> + drax <applezip@gmail.com> + Sebastian Dunne <sdunne@redhat.com> + François Duthilleul <francoisduthilleul@gmail.com> + Greg Elin <gregelin@gitmachines.com> + eradot4027 <jrtonmac@gmail.com> + Alexis Facques <alexis.facques@mythalesgroup.io> + Leah Fisher <lfisher047@gmail.com> + Alijohn Ghassemlouei <alijohn@secureagc.com> + ghylock <ghylock@gmail.com> + Andrew Gilmore <agilmore2@gmail.com> + Joshua Glemza <jglemza@nasa.gov> + Nick Gompper <forestgomp@yahoo.com> + Loren Gordon <lorengordon@users.noreply.github.com> + Patrik Greco <sikevux@sikevux.se> + Steve Grubb <sgrubb@redhat.com> + guangyee <gyee@suse.com> + Marek Haicman <mhaicman@redhat.com> + Rebekah Hayes <rhayes@corp.rivierautilities.com> + Trey Henefield <thenefield@gmail.com> + Henning Henkel <henning.henkel@helvetia.ch> + hex2a <hex2a@users.noreply.github.com> + John Hooks <jhooks@starscream.pa.jhbcomputers.com> + Jakub Hrozek <jhrozek@redhat.com> + De Huo <De.Huo@windriver.com> + Robin Price II <robin@redhat.com> + Yasir Imam <yimam@redhat.com> + Jiri Jaburek <jjaburek@redhat.com> + Keith Jackson <keithkjackson@gmail.com> + Jeremiah Jahn <jeremiah@goodinassociates.com> + Jakub Jelen <jjelen@redhat.com> + Jessicahfy <Jessicahfy@users.noreply.github.com> + Stephan Joerrens <Stephan.Joerrens@fiduciagad.de> + Jono <jono@ubuntu-18.localdomain> + Kai Kang <kai.kang@windriver.com> + Charles Kernstock <charles.kernstock@ultra-ats.com> + Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> + Nathan Kinder <nkinder@redhat.com> + Lee Kinser <lee.kinser@gmail.com> + Evgeny Kolesnikov <ekolesni@redhat.com> + Peter 'Pessoft' Kolínek <github@pessoft.com> + Luke Kordell <luke.t.kordell@lmco.com> + Malte Kraus <malte.kraus@suse.com> + Seth Kress <seth.kress@dsainc.com> + kspargur <kspargur@kspargur.csb> + Amit Kumar <amitkuma@redhat.com> + Fen Labalme <fen@civicactions.com> + Ade Lee <alee@redhat.com> + Christopher Lee <Crleekwc@gmail.com> + Ian Lee <lee1001@llnl.gov> + Jarrett Lee <jarrettl@umd.edu> + Joseph Lenox <lordofhyphens@gmail.com> + Jan Lieskovsky <jlieskov@redhat.com> + Šimon Lukašík <slukasik@redhat.com> + Milan Lysonek <mlysonek@redhat.com> + Fredrik Lysén <fredrik@pipemore.se> + Caitlin Macleod <caitelatte@gmail.com> + Nick Maludy <nmaludy@gmail.com> + Lokesh Mandvekar <lsm5@fedoraproject.org> + Matus Marhefka <mmarhefk@redhat.com> + Jamie Lorwey Martin <jlmartin@redhat.com> + Carlos Matos <cmatos@redhat.com> + Robert McAllister <rmcallis@redhat.com> + Michael McConachie <michael@redhat.com> + Marcus Meissner <meissner@suse.de> + Khary Mendez <kmendez@redhat.com> + Rodney Mercer <rmercer@harris.com> + Matt Micene <nzwulfin@gmail.com> + Brian Millett <bmillett@gmail.com> + Takuya Mishina <tmishina@jp.ibm.com> + Mixer9 <35545791+Mixer9@users.noreply.github.com> + mmosel <mmosel@kde.example.com> + Zbynek Moravec <zmoravec@redhat.com> + Kazuo Moriwaka <moriwaka@users.noreply.github.com> + Michael Moseley <michael@eclipse.ncsc.mil> + Renaud Métrich <rmetrich@redhat.com> + Joe Nall <joe@nall.com> + Neiloy <neiloy@redhat.com> + Axel Nennker <axel@nennker.de> + Michele Newman <mnewman@redhat.com> + Sean O'Keeffe <seanokeeffe797@gmail.com> + Ilya Okomin <ilya.okomin@oracle.com> + Kaustubh Padegaonkar <theTuxRacer@gmail.com> + Michael Palmiotto <mpalmiotto@tresys.com> + Max R.D. Parmer <maxp@trystero.is> + Jan Pazdziora <jpazdziora@redhat.com> + pcactr <paul.c.arnold4.ctr@mail.mil> + Kenneth Peeples <kennethwpeeples@gmail.com> + Nathan Peters <Nathaniel.Peters@ca.com> + Frank Lin PIAT <fpiat@klabs.be> + Stefan Pietsch <mail.ipv4v6+gh@gmail.com> + piggyvenus <piggyvenus@gmail.com> + Vojtech Polasek <vpolasek@redhat.com> + Orion Poplawski <orion@nwra.com> + Nick Poyant <npoyant@redhat.com> + Martin Preisler <mpreisle@redhat.com> + Wesley Ceraso Prudencio <wcerasop@redhat.com> + Raphael Sanchez Prudencio <rsprudencio@redhat.com> + T.O. Radzy Radzykewycz <radzy@windriver.com> + Kenyon Ralph <kenyon@kenyonralph.com> + Mike Ralph <mralph@redhat.com> + Federico Ramirez <federico.r.ramirez@oracle.com> + rchikov <rumen.chikov@suse.com> + Rick Renshaw <Richard_Renshaw@xtoenergy.com> + Chris Reynolds <c.reynolds82@gmail.com> + rhayes <rhayes@rivierautilities.com> + Pat Riehecky <riehecky@fnal.gov> + rlucente-se-jboss <rlucente@redhat.com> + Juan Antonio Osorio Robles <jaosorior@redhat.com> + Matt Rogers <mrogers@redhat.com> + Jesse Roland <jesse.roland@onyxpoint.com> + Joshua Roys <roysjosh@gmail.com> + rrenshaw <bofh69@yahoo.com> + Chris Ruffalo <chris.ruffalo@gmail.com> + Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil> + Earl Sampson <ESampson@suse.com> + Willy Santos <wsantos@redhat.com> + Gautam Satish <gautams@hpe.com> + Watson Sato <wsato@redhat.com> + Satoru SATOH <satoru.satoh@gmail.com> + Alexander Scheel <ascheel@redhat.com> + Bryan Schneiders <pschneiders@trisept.com> + shaneboulden <shane.boulden@gmail.com> + Spencer Shimko <sshimko@tresys.com> + Mark Shoger <mshoger@redhat.com> + Thomas Sjögren <konstruktoid@users.noreply.github.com> + Francisco Slavin <fslavin@tresys.com> + David Smith <dsmith@eclipse.ncsc.mil> + Kevin Spargur <kspargur@redhat.com> + Kenneth Stailey <kstailey.lists@gmail.com> + Leland Steinke <leland.j.steinke.ctr@mail.mil> + Justin Stephenson <jstephen@redhat.com> + Brian Stinson <brian@bstinson.com> + Jake Stookey <jakestookey@gmail.com> + Jonathan Sturges <jsturges@redhat.com> + teacup-on-rockingchair <strandjata@gmail.com> + Ian Tewksbury <itewk@redhat.com> + Philippe Thierry <phil@reseau-libre.net> + Derek Thurston <thegrit@gmail.com> + tianzhenjia <jiatianzhen@cmss.chinamobile.com> + Greg Tinsley <gtinsley@redhat.com> + Paul Tittle <ptittle@cmf.nrl.navy.mil> + tomas.hudik <tomas.hudik@embedit.cz> + Jeb Trayer <jeb.d.trayer@uscg.mil> + Brian Turek <brian.turek@gmail.com> + Matěj Týč <matyc@redhat.com> + VadimDor <29509093+VadimDor@users.noreply.github.com> + Samuel Warren <swarren@redhat.com> + Shawn Wells <shawn@shawndwells.io> + Daniel E. White <linuxdan@users.noreply.github.com> + Bernhard M. Wiedemann <bwiedemann@suse.de> + Roy Williams <roywilli@roywilli.redhat.com> + Willumpie <willumpie@xs4all.nl> + Rob Wilmoth <rwilmoth@redhat.com> + Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> + Xirui Yang <xirui.yang@oracle.com> + yarunachalam <yarunachalam@suse.com> + Kevin Zimmerman <kevin.zimmerman@kitware.com> + Jan Černý <jcerny@redhat.com> + Michal Šrubař <msrubar@redhat.com> + https://github.com/OpenSCAP/scap-security-guide/releases/latest + + + + OSPP - Protection Profile for General Purpose Operating Systems + This profile reflects mandatory configuration controls identified in the +NIAP Configuration Annex to the Protection Profile for General Purpose +Operating Systems (Protection Profile Version 4.2). + +As Fedora OS is moving target, this profile does not guarantee to provide +security levels required from US National Security Systems. Main goal of +the profile is to provide Fedora developers with hardened environment +similar to the one mandated by US National Security Systems. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PCI-DSS v3.2.1 Control Baseline for Fedora + Ensures PCI-DSS v3.2.1 related security configuration settings are applied. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Standard System Security Profile for Fedora + This profile contains rules to ensure standard security baseline of a Fedora system. +Regardless of your system's workload all of these checks should pass. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Remediation functions used by the SCAP Security Guide Project + XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project. + + + + + + + + + + + + + + + System Settings + Contains rules that check correct system settings. + + Installing and Maintaining Software + The following sections contain information on +security-relevant choices during the initial operating system +installation process and the setup of software +updates. + + Prefer to use a 64-bit Operating System when supported + Prefer installation of 64-bit operating systems when the CPU supports it. + There is no remediation besides installing a 64-bit operating system. + BP28(R10) + Use of a 64-bit operating system offers a few advantages, like a larger address space range for +Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits. + + + + + + + + + System and Software Integrity + System and software integrity can be gained by installing antivirus, increasing +system encryption strength with FIPS, verifying installed software, enabling SELinux, +installing an Intrusion Prevention System, etc. However, installing or enabling integrity +checking tools cannot prevent intrusions, but they can detect that an intrusion +may have occurred. Requirements for integrity checking may be highly dependent on +the environment in which the system will be used. Snapshot-based approaches such +as AIDE may induce considerable overhead in the presence of frequent software updates. + + Software Integrity Checking + Both the AIDE (Advanced Intrusion Detection Environment) +software and the RPM package management system provide +mechanisms for verifying the integrity of installed software. +AIDE uses snapshots of file metadata (such as hashes) and compares these +to current system files in order to detect changes. + +The RPM package management system can conduct integrity +checks by comparing information in its metadata database with +files installed on the system. + + Verify Integrity with RPM + The RPM package management system includes the ability +to verify the integrity of installed packages by comparing the +installed files with information about the files taken from the +package metadata stored in the RPM database. Although an attacker +could corrupt the RPM database (analogous to attacking the AIDE +database as described above), this check can still reveal +modification of important files. To list which files on the system differ from what is expected by the RPM database: +$ rpm -qVa +See the man page for rpm to see a complete explanation of each column. + + Verify File Hashes with RPM + Without cryptographic integrity protections, system +executables and files can be altered by unauthorized users without +detection. +The RPM package management system can check the hashes of +installed software packages, including many that are important to system +security. +To verify that the cryptographic hash of system files and commands matches vendor +values, run the following command to list which files on the system +have hashes that differ from what is expected by the RPM database: +$ rpm -Va --noconfig | grep '^..5' +A "c" in the second column indicates that a file is a configuration file, which +may appropriately be expected to change. If the file was not expected to +change, investigate the cause of the change using audit logs or other means. +The package can then be reinstalled to restore the file. +Run the following command to determine which package owns the file: +$ rpm -qf FILENAME +The package can be reinstalled from a dnf repository using the command: +$ sudo dnf reinstall PACKAGENAME +Alternatively, the package can be reinstalled from trusted media using the command: +$ sudo rpm -Uvh PACKAGENAME + 5.10.4.1 + 3.3.8 + 3.4.1 + CCI-000366 + CCI-001749 + 164.308(a)(1)(ii)(D) + 164.312(b) + 164.312(c)(1) + 164.312(c)(2) + 164.312(e)(2)(i) + CM-6(d) + CM-6(c) + SI-7 + SI-7(1) + SI-7(6) + AU-9(3) + PR.DS-6 + PR.DS-8 + PR.IP-1 + Req-11.5 + SRG-OS-000480-GPOS-00227 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS06.02 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 2 + 3 + 9 + The hashes of important files like system executables should match the +information given by the RPM database. Executables with erroneous hashes could +be a sign of nefarious activity on the system. + +# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names +files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )" + +# From files names get package names and change newline to space, because rpm writes each package to new line +packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')" + +dnf reinstall -y $packages_to_reinstall + + - name: 'Set fact: Package manager reinstall command (dnf)' + set_fact: + package_manager_reinstall_cmd: dnf reinstall -y + when: ansible_distribution == "Fedora" + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: 'Set fact: Package manager reinstall command (yum)' + set_fact: + package_manager_reinstall_cmd: yum reinstall -y + when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux") + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Read files with incorrect hash + command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser + --nogroup --nomode --noghost --noconfig + args: + warn: false + register: files_with_incorrect_hash + changed_when: false + failed_when: files_with_incorrect_hash.rc > 1 + check_mode: false + when: (package_manager_reinstall_cmd is defined) + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_hash.stdout_lines | map(''regex_findall'', + ''^[.]+[5]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'') + | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false + when: + - files_with_incorrect_hash.stdout_lines is defined + - (files_with_incorrect_hash.stdout_lines | length > 0) + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + +- name: Reinstall packages of files with incorrect hash + command: '{{ package_manager_reinstall_cmd }} ''{{ item }}''' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list + | unique }}' + when: + - files_with_incorrect_hash.stdout_lines is defined + - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines + | length > 0)) + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_hashes + + + + + + + + + + Verify and Correct File Permissions with RPM + The RPM package management system can check file access permissions +of installed software packages, including many that are important +to system security. +Verify that the file permissions of system files +and commands match vendor values. Check the file permissions +with the following command: +$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }' +Output indicates files that do not match vendor defaults. +After locating a file with incorrect permissions, +run the following command to determine which package owns it: +$ rpm -qf FILENAME + +Next, run the following command to reset its permissions to +the correct values: +$ sudo rpm --setperms PACKAGENAME + Profiles may require that specific files have stricter file permissions than defined by the +vendor. +Such files will be reported as a finding and need to be evaluated according to your policy +and deployment environment. + 5.10.4.1 + 3.3.8 + 3.4.1 + CCI-001493 + CCI-001494 + CCI-001495 + CCI-001496 + 164.308(a)(1)(ii)(D) + 164.312(b) + 164.312(c)(1) + 164.312(c)(2) + 164.312(e)(2)(i) + CM-6(d) + CM-6(c) + SI-7 + SI-7(1) + SI-7(6) + AU-9(3) + CM-6(a) + PR.AC-4 + PR.DS-5 + PR.IP-1 + PR.PT-1 + Req-11.5 + SRG-OS-000256-GPOS-00097 + SRG-OS-000257-GPOS-00098 + SRG-OS-000258-GPOS-00099 + SRG-OS-000278-GPOS-00108 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 5.2 + SR 7.6 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.7.3 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO11.04 + BAI03.05 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.04 + DSS05.07 + DSS06.02 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.5.1 + A.12.6.2 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 6 + 9 + Permissions on system binaries and configuration files that are too generous +could allow an unauthorized user to gain privileges that they should not have. +The permissions set by the vendor should be maintained. Any deviations from +this baseline should be investigated. + +# Declare array to hold set of RPM packages we need to correct permissions for +declare -A SETPERMS_RPM_DICT + +# Create a list of files on the system having permissions different from what +# is expected by the RPM database +readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }') + +for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" +do + # NOTE: some files maybe controlled by more then one package + readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}") + for RPM_PACKAGE in "${RPM_PACKAGES[@]}" + do + # Use an associative array to store packages as it's keys, not having to care about duplicates. + SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1 + done +done + +# For each of the RPM packages left in the list -- reset its permissions to the +# correct values +for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}" +do + rpm --restore "${RPM_PACKAGE}" +done + + - name: Read list of files with incorrect permissions + command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev + --nocaps --nolinkto --nouser --nogroup + args: + warn: false + register: files_with_incorrect_permissions + failed_when: files_with_incorrect_permissions.rc > 1 + changed_when: false + check_mode: false + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions + +- name: Create list of packages + command: rpm -qf "{{ item }}" + args: + warn: false + with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'', + ''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'') + | list | unique }}' + register: list_of_packages + changed_when: false + check_mode: false + when: (files_with_incorrect_permissions.stdout_lines | length > 0) + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions + +- name: Correct file permissions with RPM + command: rpm --setperms '{{ item }}' + args: + warn: false + with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list + | unique }}' + when: (files_with_incorrect_permissions.stdout_lines | length > 0) + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.3.8 + - NIST-800-171-3.4.1 + - NIST-800-53-AU-9(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(c) + - NIST-800-53-CM-6(d) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - NIST-800-53-SI-7(6) + - PCI-DSS-Req-11.5 + - high_complexity + - high_severity + - medium_disruption + - no_reboot_needed + - restrict_strategy + - rpm_verify_permissions + + + + + + + + + + + Verify Integrity with AIDE + AIDE conducts integrity checks by comparing information about +files with previously-gathered information. Ideally, the AIDE database is +created immediately after initial system configuration, and then again after any +software update. AIDE is highly configurable, with further configuration +information located in /usr/share/doc/aide-VERSION. + + + Install AIDE + The aide package can be installed with the following command: + +$ sudo dnf install aide + 5.10.1.3 + CM-6(a) + DE.CM-1 + DE.CM-7 + PR.DS-1 + PR.DS-6 + PR.DS-8 + PR.IP-1 + PR.IP-3 + Req-11.5 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 4.1 + SR 6.2 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI01.06 + BAI02.01 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS04.07 + DSS05.02 + DSS05.03 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.4.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.14.2.7 + A.15.2.1 + A.8.2.3 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 7 + 8 + 9 + BP28(R51) + SRG-OS-000363-GPOS-00150 + 1034 + 1288 + 1341 + 1417 + CCI-002699 + CCI-001744 + The AIDE package must be installed if it is to be available for integrity checking. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + dnf install -y "aide" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure aide is installed + package: + name: aide + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-11.5 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_aide_installed + + include install_aide + +class install_aide { + package { 'aide': + ensure => 'installed', + } +} + + +package --add=aide + + +[[packages]] +name = "aide" +version = "*" + + + + + + + + + + Build and Test AIDE Database + Run the following command to generate a new database: +$ sudo /usr/sbin/aide --init +By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. +Storing the database, the configuration file /etc/aide.conf, and the binary +/usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. +The newly-generated database can be installed as follows: +$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz +To initiate a manual check, run the following command: +$ sudo /usr/sbin/aide --check +If this check produces any unexpected output, investigate. + BP28(R51) + 5.10.1.3 + CM-6(a) + DE.CM-1 + DE.CM-7 + PR.DS-1 + PR.DS-6 + PR.DS-8 + PR.IP-1 + PR.IP-3 + Req-11.5 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 4.1 + SR 6.2 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI01.06 + BAI02.01 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS04.07 + DSS05.02 + DSS05.03 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.4.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.14.2.7 + A.15.2.1 + A.8.2.3 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 7 + 8 + 9 + For AIDE to be effective, an initial database of "known-good" information about files +must be captured and it should be able to be verified against the installed files. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + dnf install -y "aide" +fi + +/usr/sbin/aide --init +/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure AIDE is installed + package: + name: '{{ item }}' + state: present + with_items: + - aide + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-11.5 + - aide_build_database + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Build and Test AIDE Database + command: /usr/sbin/aide --init + changed_when: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-11.5 + - aide_build_database + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check whether the stock AIDE Database exists + stat: + path: /var/lib/aide/aide.db.new.gz + register: aide_database_stat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-11.5 + - aide_build_database + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Stage AIDE Database + copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + backup: true + remote_src: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists) + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-11.5 + - aide_build_database + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Configure Periodic Execution of AIDE + At a minimum, AIDE should be configured to run a weekly scan. +To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: +05 4 * * * root /usr/sbin/aide --check +To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: +05 4 * * 0 root /usr/sbin/aide --check +AIDE can be executed periodically through other means; this is merely one example. +The usage of cron's special time codes, such as @daily and +@weekly is acceptable. + BP28(R51) + 5.10.1.3 + CCI-001744 + CCI-002699 + CCI-002702 + SI-7 + SI-7(1) + CM-6(a) + DE.CM-1 + DE.CM-7 + PR.DS-1 + PR.DS-6 + PR.DS-8 + PR.IP-1 + PR.IP-3 + Req-11.5 + SRG-OS-000363-GPOS-00150 + SRG-OS-000446-GPOS-00200 + SRG-OS-000447-GPOS-00201 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 4.1 + SR 6.2 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI01.06 + BAI02.01 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS04.07 + DSS05.02 + DSS05.03 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.4.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.14.2.7 + A.15.2.1 + A.8.2.3 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 7 + 8 + 9 + By default, AIDE does not install itself for periodic execution. Periodically +running AIDE is necessary to reveal unexpected changes in installed files. + +Unauthorized changes to the baseline configuration could make the system vulnerable +to various attacks or allow unauthorized access to the operating system. Changes to +operating system configurations can have unintended side effects, some of which may +be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, +negative consequences that could ultimately affect the security state of the operating +system. The operating system's Information Management Officer (IMO)/Information System +Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or +monitoring system trap when there is an unauthorized modification of a configuration item. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "aide" ; then + dnf install -y "aide" +fi + +if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab +else + sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab + echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure AIDE is installed + package: + name: '{{ item }}' + state: present + with_items: + - aide + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - PCI-DSS-Req-11.5 + - aide_periodic_cron_checking + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Configure Periodic Execution of AIDE + cron: + name: run AIDE check + minute: 5 + hour: 4 + weekday: 0 + user: root + job: /usr/sbin/aide --check + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.3 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-7 + - NIST-800-53-SI-7(1) + - PCI-DSS-Req-11.5 + - aide_periodic_cron_checking + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + + Federal Information Processing Standard (FIPS) + The Federal Information Processing Standard (FIPS) is a computer security standard which +is developed by the U.S. Government and industry working groups to validate the quality +of cryptographic modules. The FIPS standard provides four security levels to ensure +adequate coverage of different industries, implementation of cryptographic modules, and +organizational sizes and requirements. + +FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules +utilize authentication that meets industry and government requirements. For government systems, this allows +Security Levels 1, 2, 3, or 4 for use on Fedora. + +See http://csrc.nist.gov/publications/PubsFIPS.html for more information. + + + Set kernel parameter 'crypto.fips_enabled' to 1 + System running in FIPS mode is indicated by kernel parameter +'crypto.fips_enabled'. This parameter should be set to 1 +in FIPS mode. +To enable FIPS mode, run the following command: +fips-mode-setup --enable + The system needs to be rebooted for these changes to take effect. + System Crypto Modules must be provided by a vendor that undergoes +FIPS-140 certifications. +FIPS-140 is applicable to all Federal agencies that use +cryptographic-based security systems to protect sensitive information +in computer and telecommunication systems (including voice systems) as +defined in Section 5131 of the Information Technology Management Reform +Act of 1996, Public Law 104-106. This standard shall be used in +designing and implementing cryptographic modules that Federal +departments and agencies operate or are operated for them under +contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf +To meet this, the system has to have cryptographic software provided by +a vendor that has undergone this certification. This means providing +documentation, test results, design information, and independent third +party review by an accredited lab. While open source software is +capable of meeting this, it does not meet FIPS-140 unless the vendor +submits to this process. + CCI-000068 + CCI-000803 + CCI-002450 + SC-12(2) + SC-12(3) + IA-7 + SC-13 + CM-6(a) + SC-12 + SRG-OS-000120-VMM-000600 + SRG-OS-000478-VMM-001980 + SRG-OS-000396-VMM-001590 + SRG-OS-000033-GPOS-00014 + SRG-OS-000125-GPOS-00065 + SRG-OS-000396-GPOS-00176 + SRG-OS-000423-GPOS-00187 + SRG-OS-000478-GPOS-00223 + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to +protect data. The operating system must implement cryptographic modules adhering to the higher +standards approved by the federal government since this provides assurance they have been tested +and validated. + + + + + + + + + + Enable FIPS Mode + To enable FIPS mode, run the following command: +fips-mode-setup --enable + +The fips-mode-setup command will configure the system in +FIPS mode by automatically configuring the following: +Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1Creating /etc/system-fipsSetting the system crypto policy in /etc/crypto-policies/config to FIPSLoading the Dracut fips module +Furthermore, the system running in FIPS mode should be FIPS certified by NIST. + The system needs to be rebooted for these changes to take effect. + System Crypto Modules must be provided by a vendor that undergoes +FIPS-140 certifications. +FIPS-140 is applicable to all Federal agencies that use +cryptographic-based security systems to protect sensitive information +in computer and telecommunication systems (including voice systems) as +defined in Section 5131 of the Information Technology Management Reform +Act of 1996, Public Law 104-106. This standard shall be used in +designing and implementing cryptographic modules that Federal +departments and agencies operate or are operated for them under +contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf +To meet this, the system has to have cryptographic software provided by +a vendor that has undergone this certification. This means providing +documentation, test results, design information, and independent third +party review by an accredited lab. While open source software is +capable of meeting this, it does not meet FIPS-140 unless the vendor +submits to this process. + CCI-000068 + CCI-000803 + CCI-002450 + SC-12(2) + SC-12(3) + IA-7 + SC-13 + CM-6(a) + SC-12 + SRG-OS-000120-VMM-000600 + SRG-OS-000478-VMM-001980 + SRG-OS-000396-VMM-001590 + FCS_COP.1(1) + FCS_COP.1(2) + FCS_COP.1(3) + FCS_COP.1(4) + FCS_CKM.1 + FCS_CKM.2 + FCS_TLSC_EXT.1 + SRG-OS-000478-GPOS-00223 + SRG-OS-000396-GPOS-00176 + 1446 + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to +protect data. The operating system must implement cryptographic modules adhering to the higher +standards approved by the federal government since this provides assurance they have been tested +and validated. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +fips-mode-setup --enable + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: enable fips mode + command: /usr/bin/fips-mode-setup --enable + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-7 + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - enable_fips_mode + - high_severity + - medium_complexity + - medium_disruption + - reboot_required + - restrict_strategy + + + + + + + + + + + Ensure '/etc/system-fips' exists + On a system where FIPS mode is enabled, /etc/system-fips must exist. +To enable FIPS mode, run the following command: +fips-mode-setup --enable + The system needs to be rebooted for these changes to take effect. + System Crypto Modules must be provided by a vendor that undergoes +FIPS-140 certifications. +FIPS-140 is applicable to all Federal agencies that use +cryptographic-based security systems to protect sensitive information +in computer and telecommunication systems (including voice systems) as +defined in Section 5131 of the Information Technology Management Reform +Act of 1996, Public Law 104-106. This standard shall be used in +designing and implementing cryptographic modules that Federal +departments and agencies operate or are operated for them under +contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf +To meet this, the system has to have cryptographic software provided by +a vendor that has undergone this certification. This means providing +documentation, test results, design information, and independent third +party review by an accredited lab. While open source software is +capable of meeting this, it does not meet FIPS-140 unless the vendor +submits to this process. + CCI-000068 + CCI-000803 + CCI-002450 + SC-12(2) + SC-12(3) + IA-7 + SC-13 + CM-6(a) + SC-12 + SRG-OS-000120-VMM-000600 + SRG-OS-000478-VMM-001980 + SRG-OS-000396-VMM-001590 + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to +protect data. The operating system must implement cryptographic modules adhering to the higher +standards approved by the federal government since this provides assurance they have been tested +and validated. + + + + + + + + + + Enable Dracut FIPS Module + To enable FIPS mode, run the following command: +fips-mode-setup --enable +To enable FIPS, the system requires that the fips module is added in +dracut configuration. +Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " + The system needs to be rebooted for these changes to take effect. + System Crypto Modules must be provided by a vendor that undergoes +FIPS-140 certifications. +FIPS-140 is applicable to all Federal agencies that use +cryptographic-based security systems to protect sensitive information +in computer and telecommunication systems (including voice systems) as +defined in Section 5131 of the Information Technology Management Reform +Act of 1996, Public Law 104-106. This standard shall be used in +designing and implementing cryptographic modules that Federal +departments and agencies operate or are operated for them under +contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf +To meet this, the system has to have cryptographic software provided by +a vendor that has undergone this certification. This means providing +documentation, test results, design information, and independent third +party review by an accredited lab. While open source software is +capable of meeting this, it does not meet FIPS-140 unless the vendor +submits to this process. + CCI-000068 + CCI-000803 + CCI-002450 + SC-12(2) + SC-12(3) + IA-7 + SC-13 + CM-6(a) + SC-12 + SRG-OS-000120-VMM-000600 + SRG-OS-000478-VMM-001980 + SRG-OS-000396-VMM-001590 + SRG-OS-000478-GPOS-00223 + 1446 + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to +protect data. The operating system must implement cryptographic modules adhering to the higher +standards approved by the federal government since this provides assurance they have been tested +and validated. + + + + + + + + + + + System Cryptographic Policies + Linux has the capability to centrally configure cryptographic polices. The command +update-crypto-policies is used to set the policy applicable for the various +cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic +policies will be the default policy used by these backends unless the application +user configures them otherwise. When the system has been configured to use the +centralized cryptographic policies, the administrator is assured that any application +that utilizes the supported backends will follow a policy that adheres to the +configured profile. + +Currently the supported backends are: +GnuTLS libraryOpenSSL libraryNSS libraryOpenJDKLibkrb5BINDOpenSSH +Applications and languages which rely on any of these backends will follow the +system policies as well. Examples are apache httpd, nginx, php, and others. + + SSH client RekeyLimit - size + Specify the size component of the rekey limit. This limit signifies amount +of data. After this amount of data is transferred through the connection, +the session key is renegotiated. The number is followed by K, M or G for +kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also +configured according to elapsed time. + 512M + 512M + 1G + + + SSH client RekeyLimit - time + Specify the time component of the rekey limit. The session key is +renegotiated after the defined amount of time passes. The number is followed +by units such as H or M for hours or minutes. Note that the RekeyLimit can +be also configured according to amount of transfered data. + 1h + 1h + + + The system-provided crypto policies + Specify the crypto policy for the system. + DEFAULT + DEFAULT:NO-SHA1 + FIPS + FIPS:OSPP + LEGACY + FUTURE + NEXT + + + Configure OpenSSL library to use System Crypto Policy + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +OpenSSL is supported by crypto policy, but the OpenSSL configuration may be +set up to ignore it. +To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file +available under /etc/pki/tls/openssl.cnf. +This file has the ini format, and it enables crypto policy support +if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. + AC-17(a) + AC-17(2) + CM-6(a) + MA-4(6) + SC-13 + SC-12(2) + SC-12(3) + SRG-OS-000250-GPOS-00093 + CCI-001453 + Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, +and makes system configuration more fragmented. + +OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]' +OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]' +OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config' +OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$' + +function remediate_openssl_crypto_policy() { + CONFIG_FILE="/etc/pki/tls/openssl.cnf" + if test -f "$CONFIG_FILE"; then + if ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_SECTION_REGEX" "$CONFIG_FILE"; then + printf '\n%s\n\n%s' "$OPENSSL_CRYPTO_POLICY_SECTION" "$OPENSSL_CRYPTO_POLICY_INCLUSION" >> "$CONFIG_FILE" + return 0 + elif ! grep -q "^\\s*$OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX" "$CONFIG_FILE"; then + sed -i "s|$OPENSSL_CRYPTO_POLICY_SECTION_REGEX|&\\n\\n$OPENSSL_CRYPTO_POLICY_INCLUSION\\n|" "$CONFIG_FILE" + return 0 + fi + else + echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 + return 1 + fi +} + +remediate_openssl_crypto_policy + + - name: Test for crypto_policy group + command: grep '^\s*\[\s*crypto_policy\s*]' /etc/pki/tls/openssl.cnf + register: test_crypto_policy_group + ignore_errors: true + changed_when: false + check_mode: false + tags: + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_openssl_crypto_policy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Add .include for opensslcnf.config to crypto_policy section + lineinfile: + create: true + insertafter: ^\s*\[\s*crypto_policy\s*]\s* + line: .include /etc/crypto-policies/back-ends/opensslcnf.config + path: /etc/pki/tls/openssl.cnf + when: + - test_crypto_policy_group.stdout is defined + - test_crypto_policy_group.stdout | length > 0 + tags: + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_openssl_crypto_policy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Add crypto_policy group and set include opensslcnf.config + lineinfile: + create: true + line: |- + [crypto_policy] + .include /etc/crypto-policies/back-ends/opensslcnf.config + path: /etc/pki/tls/openssl.cnf + when: + - test_crypto_policy_group.stdout is defined + - test_crypto_policy_group.stdout | length < 1 + tags: + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_openssl_crypto_policy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Harden SSHD Crypto Policy + Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server. +The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact. +This can be done by dropping a file named opensshserver-xxx.config, replacing xxx with arbitrary identifier, into /etc/crypto-policies/local.d. This has to be followed by running update-crypto-policies so that changes are applied. +Changes are propagated into /etc/crypto-policies/back-ends/opensshserver.config. This rule checks if this file contains predefined CRYPTO_POLICY environment variable configured with predefined value. + AC-17(a) + AC-17(2) + CM-6(a) + MA-4(6) + SC-13 + SC-12(2) + SC-12(3) + FCS_SSHS_EXT.1 + SRG-OS-000250-GPOS-00093 + SRG-OS-000033-GPOS-00014 + SRG-OS-000120-GPOS-00061 + The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. + +cp="CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'" +file=/etc/crypto-policies/local.d/opensshserver-ospp.config + +#blank line at the begining to ease later readibility +echo '' > "$file" +echo "$cp" >> "$file" +update-crypto-policies + + + + + + + + + + + Configure Libreswan to use System Crypto Policy + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +Libreswan is supported by system crypto policy, but the Libreswan configuration may be +set up to ignore it. + +To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf +includes the appropriate configuration file. +In /etc/ipsec.conf, make sure that the following line +is not commented out or superseded by later includes: +include /etc/crypto-policies/back-ends/libreswan.config + CM-6(a) + MA-4(6) + SC-13 + SC-12(2) + SC-12(3) + SRG-OS-000033-GPOS-00014 + FCS_IPSEC_EXT.1.4 + FCS_IPSEC_EXT.1.6 + Overriding the system crypto policy makes the behavior of the Libreswan +service violate expectations, and makes system configuration more +fragmented. + +function remediate_libreswan_crypto_policy() { + CONFIG_FILE="/etc/ipsec.conf" + if ! grep -qP "^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$" "$CONFIG_FILE" ; then + echo 'include /etc/crypto-policies/back-ends/libreswan.config' >> "$CONFIG_FILE" + fi + return 0 +} + +remediate_libreswan_crypto_policy + + - name: Configure Libreswan to use System Crypto Policy + lineinfile: + path: /etc/ipsec.conf + line: include /etc/crypto-policies/back-ends/libreswan.config + create: true + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_libreswan_crypto_policy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Harden SSH client Crypto Policy + Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client. +To override the system wide crypto policy for Openssh client, place a file in the /etc/ssh/ssh_config.d/ so that it is loaded before the 05-redhat.conf. In this case it is file named 02-ospp.conf containing parameters which need to be changed with respect to the crypto policy. +This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy. +During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter. + AC-17(a) + AC-17(2) + CM-6(a) + MA-4(6) + SC-13 + FCS_SSHC_EXT.1 + SRG-OS-000033-GPOS-00014 + SRG-OS-000250-GPOS-00093 + SRG-OS-000393-GPOS-00173 + SRG-OS-000394-GPOS-00174 + The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy. + +#the file starts with 02 so that it is loaded before the 05-redhat.conf which activates configuration provided by system vide crypto policy +file="/etc/ssh/ssh_config.d/02-ospp.conf" +echo -e "Match final all\n\ +RekeyLimit 512M 1h\n\ +GSSAPIAuthentication no\n\ +Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc\n\ +PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256\n\ +MACs hmac-sha2-512,hmac-sha2-256\n\ +KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1\n" > "$file" + + + + + + + + + + Configure SSH to use System Crypto Policy + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +SSH is supported by crypto policy, but the SSH configuration may be +set up to ignore it. +To check that Crypto Policies settings are configured correctly, ensure that +the CRYPTO_POLICY variable is either commented or not set at all +in the /etc/sysconfig/sshd. + AC-17(a) + AC-17(2) + CM-6(a) + MA-4(6) + SC-13 + SRG-OS-000250-GPOS-00093 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.312(e)(1) + 164.312(e)(2)(ii) + Overriding the system crypto policy makes the behavior of the SSH service violate expectations, +and makes system configuration more fragmented. + +SSH_CONF="/etc/sysconfig/sshd" + +sed -i "/^\s*CRYPTO_POLICY.*$/d" $SSH_CONF + + - name: Configure SSH to use System Crypto Policy + lineinfile: + dest: /etc/sysconfig/sshd + state: absent + regexp: ^\s*CRYPTO_POLICY.*$ + tags: + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-13 + - configure_ssh_crypto_policy + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + + + + + + + + + Configure System Cryptography Policy + To configure the system cryptography policy to use ciphers only from the +policy, run the following command: +$ sudo update-crypto-policies --set +The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. +Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. + The system needs to be rebooted for these changes to take effect. + System Crypto Modules must be provided by a vendor that undergoes +FIPS-140 certifications. +FIPS-140 is applicable to all Federal agencies that use +cryptographic-based security systems to protect sensitive information +in computer and telecommunication systems (including voice systems) as +defined in Section 5131 of the Information Technology Management Reform +Act of 1996, Public Law 104-106. This standard shall be used in +designing and implementing cryptographic modules that Federal +departments and agencies operate or are operated for them under +contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf +To meet this, the system has to have cryptographic software provided by +a vendor that has undergone this certification. This means providing +documentation, test results, design information, and independent third +party review by an accredited lab. While open source software is +capable of meeting this, it does not meet FIPS-140 unless the vendor +submits to this process. + AC-17(a) + AC-17(2) + CM-6(a) + MA-4(6) + SC-13 + SC-12(2) + SC-12(3) + FCS_COP.1(1) + FCS_COP.1(2) + FCS_COP.1(3) + FCS_COP.1(4) + FCS_CKM.1 + FCS_CKM.2 + FCS_TLSC_EXT.1 + SRG-OS-000396-GPOS-00176 + SRG-OS-000393-GPOS-00173 + SRG-OS-000394-GPOS-00174 + 1446 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.312(e)(1) + 164.312(e)(2)(ii) + Centralized cryptographic policies simplify applying secure ciphers across an operating system and +the applications that run on that operating system. Use of weak or untested encryption algorithms +undermines the purposes of utilizing encryption to protect data. + +# include remediation functions library + +var_system_crypto_policy="" + + + +stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null) +rc=$? + +if test "$rc" = 127; then + echo "$stderr_of_call" >&2 + echo "Make sure that the script is installed on the remediated system." >&2 + echo "See output of the 'dnf provides update-crypto-policies' command" >&2 + echo "to see what package to (re)install" >&2 + + false # end with an error code +elif test "$rc" != 0; then + echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 + false # end with an error code +fi + + - name: XCCDF Value var_system_crypto_policy # promote to variable + set_fact: + var_system_crypto_policy: !!str + tags: + - always + +- name: Configure System Cryptography Policy + lineinfile: + path: /etc/crypto-policies/config + regexp: ^(?!#)(\S+)$ + line: '{{ var_system_crypto_policy }}' + create: true + tags: + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_crypto_policy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + +- name: Verify that Crypto Policy is Set (runtime) + command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} + tags: + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_crypto_policy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Configure BIND to use System Crypto Policy + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +BIND is supported by crypto policy, but the BIND configuration may be +set up to ignore it. + +To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf +includes the appropriate configuration: +In the options section of /etc/named.conf, make sure that the following line +is not commented out or superseded by later includes: +include "/etc/crypto-policies/back-ends/bind.config"; + SC-13 + SC-12(2) + SC-12(3) + SRG-OS-000423-GPOS-00187 + SRG-OS-000426-GPOS-00190 + Overriding the system crypto policy makes the behavior of the BIND service violate expectations, +and makes system configuration more fragmented. + +function remediate_bind_crypto_policy() { + CONFIG_FILE="/etc/named.conf" + if test -f "$CONFIG_FILE"; then + sed -i 's|options {|&\n\tinclude "/etc/crypto-policies/back-ends/bind.config";|' "$CONFIG_FILE" + return 0 + else + echo "Aborting remediation as '$CONFIG_FILE' was not even found." >&2 + return 1 + fi +} + +remediate_bind_crypto_policy + + + + + + + + + + Configure Kerberos to use System Crypto Policy + Crypto Policies provide a centralized control over crypto algorithms usage of many packages. +Kerberos is supported by crypto policy, but it's configuration may be +set up to ignore it. +To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at +/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. +If the symlink exists, kerberos is configured to use the system-wide crypto policy settings. + SC-13 + SC-12(2) + SC-12(3) + SRG-OS-000120-GPOS-00061 + 0418 + 1055 + 1402 + Overriding the system crypto policy makes the behavior of Kerberos violate expectations, +and makes system configuration more fragmented. + +rm -f /etc/krb5.conf.d/crypto-policies +ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies + + - name: Configure Kerberos to use System Crypto Policy + file: + src: /etc/crypto-policies/back-ends/krb5.config + path: /etc/krb5.conf.d/crypto-policies + state: link + tags: + - NIST-800-53-SC-12(2) + - NIST-800-53-SC-12(3) + - NIST-800-53-SC-13 + - configure_kerberos_crypto_policy + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - reboot_required + + + + + + + + + + + Endpoint Protection Software + Endpoint protection security software that is not provided or supported + +by Red Hat can be installed to provide complementary or duplicative + +security capabilities to those provided by the base platform. Add-on +software may not be appropriate for some specialized systems. + + Install Intrusion Detection Software + The base Fedora platform already includes a sophisticated auditing system that +can detect intruder activity, as well as SELinux, which provides host-based +intrusion prevention capabilities by confining privileged programs and user +sessions which may become compromised. + In DoD environments, supplemental intrusion detection and antivirus tools, +such as the McAfee Host-based Security System, are available to integrate with +existing infrastructure. Per DISA guidance, when these supplemental tools interfere +with proper functioning of SELinux, SELinux takes precedence. Should further +clarification be required, DISA contact information is published publicly at +https://public.cyber.mil/stigs/ + CCI-001263 + CM-6(a) + DE.CM-1 + PR.AC-5 + PR.DS-5 + PR.PT-4 + Req-11.4 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.6 + 4.3.3.4 + APO01.06 + APO13.01 + DSS01.03 + DSS01.05 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 7 + 8 + 9 + Host-based intrusion detection tools provide a system-level defense when an +intruder gains access to a system or network. + + + + + + + + + + + Install Virus Scanning Software + Virus scanning software can be used to protect a system from penetration from +computer viruses and to limit their spread through intermediate systems. + +The virus scanning software should be configured to perform scans dynamically +on accessed files. If this capability is not available, the system must be +configured to scan, at a minimum, all altered files on the system on a daily +basis. + +If the system processes inbound SMTP mail, the virus scanner must be configured +to scan all received mail. + CCI-000366 + CCI-001239 + CCI-001668 + CM-6(a) + DE.CM-4 + DE.DP-3 + PR.DS-1 + SRG-OS-000480-GPOS-00227 + SR 3.2 + SR 3.3 + SR 3.4 + SR 4.1 + 4.3.4.3.8 + 4.4.3.2 + APO01.06 + APO13.02 + BAI02.01 + BAI06.01 + DSS04.07 + DSS05.01 + DSS05.02 + DSS05.03 + DSS06.06 + A.12.2.1 + A.14.2.8 + A.8.2.3 + 12 + 13 + 14 + 4 + 7 + 8 + Virus scanning software can be used to detect if a system has been compromised by +computer viruses, as well as to limit their spread to other systems. + + + + + + + + + + Configure Backups of User Data + The operating system must conduct backups of user data contained +in the operating system. The operating system provides utilities for +automating backups of user data. Commercial and open-source products +are also available. + Operating system backup is a critical step in maintaining data assurance and +availability. User-level information is data generated by information system +and/or application users. Backups shall be consistent with organizational +recovery time and recovery point objectives. + + + + + + McAfee Endpoint Security Software + In DoD environments, McAfee Host-based Security System (HBSS) and +VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems. + + The age of McAfee defintion file before requiring updating + Specify the amount of time (in seconds) before McAfee definition files need to be +updated. + 2592000 + 86400 + 604800 + 2592000 + + + McAfee Host-Based Intrusion Detection Software (HBSS) + McAfee Host-based Security System (HBSS) is a suite of software applications +used to monitor, detect, and defend computer networks and systems. + + Install the Host Intrusion Prevention System (HIPS) Module + Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely +necessary. If SELinux is enabled, do not install or enable this module. + Installing and enabling this module conflicts with SELinux. +Per DoD/DISA guidance, SELinux takes precedence over this module. + Due to McAfee HIPS being 3rd party software, automated +remediation is not available for this configuration check. + CCI-000366 + CCI-001233 + CCI-001263 + CM-6(a) + DE.AE-1 + DE.AE-2 + DE.AE-3 + DE.AE-4 + DE.CM-1 + DE.CM-5 + DE.CM-6 + DE.CM-7 + DE.DP-2 + DE.DP-3 + DE.DP-4 + DE.DP-5 + ID.RA-1 + PR.AC-5 + PR.DS-5 + PR.IP-8 + PR.PT-4 + RS.AN-1 + RS.CO-3 + Req-11.4 + SRG-OS-000191-GPOS-00080 + SRG-OS-000196 + SRG-OS-000480-GPOS-00227 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.4 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.3 + SR 3.5 + SR 3.8 + SR 3.9 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3 + 4.2.3.12 + 4.2.3.7 + 4.2.3.9 + 4.3.3.4 + 4.3.4.5.2 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.3.4.5.9 + 4.4.3.2 + 4.4.3.3 + 4.4.3.4 + APO01.06 + APO07.06 + APO08.04 + APO10.05 + APO11.06 + APO12.01 + APO12.02 + APO12.03 + APO12.04 + APO12.06 + APO13.01 + APO13.02 + BAI08.02 + BAI08.04 + DSS01.03 + DSS01.05 + DSS02.04 + DSS02.05 + DSS02.07 + DSS03.01 + DSS03.04 + DSS03.05 + DSS04.05 + DSS05.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.01 + DSS06.02 + MEA03.03 + MEA03.04 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.4.1 + A.12.4.3 + A.12.5.1 + A.12.6.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.7 + A.14.2.8 + A.15.2.1 + A.16.1.1 + A.16.1.2 + A.16.1.3 + A.16.1.4 + A.16.1.5 + A.16.1.6 + A.16.1.7 + A.18.1.4 + A.18.2.2 + A.18.2.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + Clause 16.1.2 + Clause 7.4 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Without a host-based intrusion detection tool, there is no system-level defense +when an intruder gains access to a system or network. Additionally, a host-based +intrusion prevention tool can provide methods to immediately lock out detected +intrusion attempts. + + +[[packages]] +name = "MFEhiplsm" +version = "*" + + + + + + + + + + + + + Operating System Vendor Support and Certification + The assurance of a vendor to provide operating system support and maintenance +for their product is an important criterion to ensure product stability and +security over the life of the product. A certified product that follows the +necessary standards and government certification requirements guarantees that +known software vulnerabilities will be remediated, and proper guidance for +protecting and securing the operating system will be given. + + The Installed Operating System Is Vendor Supported + The installed operating system must be maintained by a vendor. + +Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise +Linux vendor, Red Hat, Inc. is responsible for providing security patches. + There is no remediation besides switching to a different operating system. + CCI-000366 + CM-6(a) + MA-6 + SA-13(a) + ID.RA-1 + PR.IP-12 + SRG-OS-000480-GPOS-00227 + 4.2.3 + 4.2.3.12 + 4.2.3.7 + 4.2.3.9 + APO12.01 + APO12.02 + APO12.03 + APO12.04 + BAI03.10 + DSS05.01 + DSS05.02 + A.12.6.1 + A.14.2.3 + A.16.1.3 + A.18.2.2 + A.18.2.3 + 18 + 20 + 4 + An operating system is considered "supported" if the vendor continues to +provide security patches for the product. With an unsupported release, it +will not be possible to resolve any security issue discovered in the system +software. + + + + + + + + + The Installed Operating System Is FIPS 140-2 Certified + To enable processing of sensitive information the operating system must +provide certified cryptographic modules compliant with FIPS 140-2 +standard. + There is no remediation besides switching to a different operating system. + System Crypto Modules must be provided by a vendor that undergoes +FIPS-140 certifications. +FIPS-140 is applicable to all Federal agencies that use +cryptographic-based security systems to protect sensitive information +in computer and telecommunication systems (including voice systems) as +defined in Section 5131 of the Information Technology Management Reform +Act of 1996, Public Law 104-106. This standard shall be used in +designing and implementing cryptographic modules that Federal +departments and agencies operate or are operated for them under +contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf +To meet this, the system has to have cryptographic software provided by +a vendor that has undergone this certification. This means providing +documentation, test results, design information, and independent third +party review by an accredited lab. While open source software is +capable of meeting this, it does not meet FIPS-140 unless the vendor +submits to this process. + CCI-000803 + CCI-002450 + SC-12(2) + SC-12(3) + IA-7 + SC-13 + CM-6(a) + SC-12 + SRG-OS-000120-VMM-000600 + SRG-OS-000478-VMM-001980 + SRG-OS-000396-VMM-001590 + The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS +PUB 140-2) is a computer security standard. The standard specifies security +requirements for cryptographic modules used to protect sensitive +unclassified information. Refer to the full FIPS 140-2 standard at + + http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf +for further details on the requirements. +FIPS 140-2 validation is required by U.S. law when information systems use +cryptography to protect sensitive government information. In order to +achieve FIPS 140-2 certification, cryptographic modules are subject to +extensive testing by independent laboratories, accredited by National +Institute of Standards and Technology (NIST). + + + + + + + + + + + System Tooling / Utilities + The following checks evaluate the system for recommended base packages -- both for installation +and removal. + + Install binutils Package + The binutils package can be installed with the following command: + +$ sudo dnf install binutils + binutils is a collection of binary utilities required for +foundational system operator activities, such as ld, +nm, objcopy and readelf. + +if ! rpm -q --quiet "binutils" ; then + dnf install -y "binutils" +fi + + - name: Ensure binutils is installed + package: + name: binutils + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_binutils_installed + + include install_binutils + +class install_binutils { + package { 'binutils': + ensure => 'installed', + } +} + + +package --add=binutils + + +[[packages]] +name = "binutils" +version = "*" + + + + + + + + + + Install cryptsetup-luks Package + The cryptsetup-luks package can be installed with the following command: + +$ sudo dnf install cryptsetup-luks + LUKS is the upcoming standard for Linux hard disk encryption. By providing a standard +on-disk format, it does not only facilitate compatibility among distributions, but also +provide secure management of multiple user passwords. In contrast to existing solution, +LUKS stores all necessary setup information in the partition header, enabling the user +to transport or migrate their data seamlessly. LUKS for dm-crypt is implemented in +cryptsetup. cryptsetup-luks is intended as a complete replacement for the +original cryptsetup. It provides all the functionality of the original +version plus all LUKS features, that are accessible by luks* action. + +if ! rpm -q --quiet "cryptsetup-luks" ; then + dnf install -y "cryptsetup-luks" +fi + + - name: Ensure cryptsetup-luks is installed + package: + name: cryptsetup-luks + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_cryptsetup-luks_installed + + include install_cryptsetup-luks + +class install_cryptsetup-luks { + package { 'cryptsetup-luks': + ensure => 'installed', + } +} + + +package --add=cryptsetup-luks + + +[[packages]] +name = "cryptsetup-luks" +version = "*" + + + + + + + + + + Ensure gnutls-utils is installed + The gnutls-utils package can be installed with the following command: + +$ sudo dnf install gnutls-utils + FIA_X509_EXT + SRG-OS-000480-GPOS-00227 + GnuTLS is a secure communications library implementing the SSL, TLS and DTLS +protocols and technologies around them. It provides a simple C language +application programming interface (API) to access the secure communications +protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and +other required structures. +This package contains command line TLS client and server and certificate +manipulation tools. + +if ! rpm -q --quiet "gnutls-utils" ; then + dnf install -y "gnutls-utils" +fi + + - name: Ensure gnutls-utils is installed + package: + name: gnutls-utils + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_gnutls-utils_installed + + include install_gnutls-utils + +class install_gnutls-utils { + package { 'gnutls-utils': + ensure => 'installed', + } +} + + +package --add=gnutls-utils + + +[[packages]] +name = "gnutls-utils" +version = "*" + + + + + + + + + + Install libcap-ng-utils Package + The libcap-ng-utils package can be installed with the following command: + +$ sudo dnf install libcap-ng-utils + SRG-OS-000445-GPOS-00199 + libcap-ng-utils contains applications to analyze the posix +posix capabilities of all the programs running on a system. +libcap-ng-utils also lets system operators set the file +system based capabilities. + +if ! rpm -q --quiet "libcap-ng-utils" ; then + dnf install -y "libcap-ng-utils" +fi + + - name: Ensure libcap-ng-utils is installed + package: + name: libcap-ng-utils + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_libcap-ng-utils_installed + + include install_libcap-ng-utils + +class install_libcap-ng-utils { + package { 'libcap-ng-utils': + ensure => 'installed', + } +} + + +package --add=libcap-ng-utils + + +[[packages]] +name = "libcap-ng-utils" +version = "*" + + + + + + + + + + Ensure nss-tools is installed + The nss-tools package can be installed with the following command: + +$ sudo dnf install nss-tools + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Install the nss-tools package +to install command-line tools to manipulate the NSS certificate +and key database. + +if ! rpm -q --quiet "nss-tools" ; then + dnf install -y "nss-tools" +fi + + - name: Ensure nss-tools is installed + package: + name: nss-tools + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_nss-tools_installed + + include install_nss-tools + +class install_nss-tools { + package { 'nss-tools': + ensure => 'installed', + } +} + + +package --add=nss-tools + + +[[packages]] +name = "nss-tools" +version = "*" + + + + + + + + + + Install openscap-scanner Package + The openscap-scanner package can be installed with the following command: + +$ sudo dnf install openscap-scanner + SRG-OS-000480-GPOS-00227 + SRG-OS-000191-GPOS-00080 + openscap-scanner contains the oscap command line tool. This tool is a +configuration and vulnerability scanner, capable of performing compliance checking using +SCAP content. + +if ! rpm -q --quiet "openscap-scanner" ; then + dnf install -y "openscap-scanner" +fi + + - name: Ensure openscap-scanner is installed + package: + name: openscap-scanner + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_openscap-scanner_installed + + include install_openscap-scanner + +class install_openscap-scanner { + package { 'openscap-scanner': + ensure => 'installed', + } +} + + +package --add=openscap-scanner + + +[[packages]] +name = "openscap-scanner" +version = "*" + + + + + + + + + + Install rear Package + The rear package can be installed with the following command: + +$ sudo dnf install rear + rear contains the Relax-and-Recover (ReaR) utility. ReaR produces a bootable +image of a system and restores from backup using this image. + +if ! rpm -q --quiet "rear" ; then + dnf install -y "rear" +fi + + - name: Ensure rear is installed + package: + name: rear + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_rear_installed + + include install_rear + +class install_rear { + package { 'rear': + ensure => 'installed', + } +} + + +package --add=rear + + +[[packages]] +name = "rear" +version = "*" + + + + + + + + + + Install rng-tools Package + The rng-tools package can be installed with the following command: + +$ sudo dnf install rng-tools + SRG-OS-000480-GPOS-00227 + CCI-000366 + rng-tools provides hardware random number generator tools, +such as those used in the formation of x509/PKI certificates. + +if ! rpm -q --quiet "rng-tools" ; then + dnf install -y "rng-tools" +fi + + - name: Ensure rng-tools is installed + package: + name: rng-tools + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_rng-tools_installed + + include install_rng-tools + +class install_rng-tools { + package { 'rng-tools': + ensure => 'installed', + } +} + + +package --add=rng-tools + + +[[packages]] +name = "rng-tools" +version = "*" + + + + + + + + + + Install scap-security-guide Package + The scap-security-guide package can be installed with the following command: + +$ sudo dnf install scap-security-guide + SRG-OS-000480-GPOS-00227 + The scap-security-guide package provides a guide for configuration of the system +from the final system's security point of view. The guidance is specified in the Security +Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening +advice, linked to government requirements where applicable. The SCAP Security Guide project +bridges the gap between generalized policy requirements and specific implementation guidelines. +A system administrator can use the oscap CLI tool from the openscap-scanner +package, or the SCAP Workbench GUI tool from the scap-workbench package, to verify +that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual +page for futher information. + +if ! rpm -q --quiet "scap-security-guide" ; then + dnf install -y "scap-security-guide" +fi + + - name: Ensure scap-security-guide is installed + package: + name: scap-security-guide + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_scap-security-guide_installed + + include install_scap-security-guide + +class install_scap-security-guide { + package { 'scap-security-guide': + ensure => 'installed', + } +} + + +package --add=scap-security-guide + + +[[packages]] +name = "scap-security-guide" +version = "*" + + + + + + + + + + Install tar Package + The tar package can be installed with the following command: + +$ sudo dnf install tar + The GNU tar program saves many files together into one archive and +can restore individual files (or all of the files) from the archive. tar +includes multivolume support, automatic archive compression/decompression, the +the ability to perform incremental and full backups. If + +if ! rpm -q --quiet "tar" ; then + dnf install -y "tar" +fi + + - name: Ensure tar is installed + package: + name: tar + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_tar_installed + + include install_tar + +class install_tar { + package { 'tar': + ensure => 'installed', + } +} + + +package --add=tar + + +[[packages]] +name = "tar" +version = "*" + + + + + + + + + + Install vim Package + The vim package can be installed with the following command: + +$ sudo dnf install vim + Vim (Vi IMproved) is an almost compatible version of the UNIX editor vi. + +if ! rpm -q --quiet "vim" ; then + dnf install -y "vim" +fi + + - name: Ensure vim is installed + package: + name: vim + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_vim_installed + + include install_vim + +class install_vim { + package { 'vim': + ensure => 'installed', + } +} + + +package --add=vim + + +[[packages]] +name = "vim" +version = "*" + + + + + + + + + + Uninstall abrt-addon-ccpp Package + The abrt-addon-ccpp package can be removed with the following command: + +$ sudo dnf erase abrt-addon-ccpp + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's +C/C++ analyzer plugin. + +# CAUTION: This remediation script will remove abrt-addon-ccpp +# from the system, and may remove any packages +# that depend on abrt-addon-ccpp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-ccpp" ; then + dnf remove -y "abrt-addon-ccpp" +fi + + - name: Ensure abrt-addon-ccpp is removed + package: + name: abrt-addon-ccpp + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-addon-ccpp_removed + + include remove_abrt-addon-ccpp + +class remove_abrt-addon-ccpp { + package { 'abrt-addon-ccpp': + ensure => 'purged', + } +} + + +package --remove=abrt-addon-ccpp + + + + + + + + + + Uninstall abrt-addon-kerneloops Package + The abrt-addon-kerneloops package can be removed with the following command: + +$ sudo dnf erase abrt-addon-kerneloops + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-addon-kerneloops contains plugins for collecting kernel crash information and +reporter plugin which sends this information to a specified server, usually to kerneloops.org. + +# CAUTION: This remediation script will remove abrt-addon-kerneloops +# from the system, and may remove any packages +# that depend on abrt-addon-kerneloops. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-kerneloops" ; then + dnf remove -y "abrt-addon-kerneloops" +fi + + - name: Ensure abrt-addon-kerneloops is removed + package: + name: abrt-addon-kerneloops + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-addon-kerneloops_removed + + include remove_abrt-addon-kerneloops + +class remove_abrt-addon-kerneloops { + package { 'abrt-addon-kerneloops': + ensure => 'purged', + } +} + + +package --remove=abrt-addon-kerneloops + + + + + + + + + + Uninstall abrt-addon-python Package + The abrt-addon-python package can be removed with the following command: + +$ sudo dnf erase abrt-addon-python + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-addon-python contains python hook and python analyzer +plugin for handling uncaught exceptions in python programs. + +# CAUTION: This remediation script will remove abrt-addon-python +# from the system, and may remove any packages +# that depend on abrt-addon-python. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-addon-python" ; then + dnf remove -y "abrt-addon-python" +fi + + - name: Ensure abrt-addon-python is removed + package: + name: abrt-addon-python + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-addon-python_removed + + include remove_abrt-addon-python + +class remove_abrt-addon-python { + package { 'abrt-addon-python': + ensure => 'purged', + } +} + + +package --remove=abrt-addon-python + + + + + + + + + + Uninstall abrt-cli Package + The abrt-cli package can be removed with the following command: + +$ sudo dnf erase abrt-cli + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-cli contains a command line client for controlling abrt daemon +over sockets. + +# CAUTION: This remediation script will remove abrt-cli +# from the system, and may remove any packages +# that depend on abrt-cli. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-cli" ; then + dnf remove -y "abrt-cli" +fi + + - name: Ensure abrt-cli is removed + package: + name: abrt-cli + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-cli_removed + + include remove_abrt-cli + +class remove_abrt-cli { + package { 'abrt-cli': + ensure => 'purged', + } +} + + +package --remove=abrt-cli + + + + + + + + + + Uninstall abrt-plugin-logger Package + The abrt-plugin-logger package can be removed with the following command: + +$ sudo dnf erase abrt-plugin-logger + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-plugin-logger is an ABRT plugin which writes a report +to a specified file. + +# CAUTION: This remediation script will remove abrt-plugin-logger +# from the system, and may remove any packages +# that depend on abrt-plugin-logger. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-logger" ; then + dnf remove -y "abrt-plugin-logger" +fi + + - name: Ensure abrt-plugin-logger is removed + package: + name: abrt-plugin-logger + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-plugin-logger_removed + + include remove_abrt-plugin-logger + +class remove_abrt-plugin-logger { + package { 'abrt-plugin-logger': + ensure => 'purged', + } +} + + +package --remove=abrt-plugin-logger + + + + + + + + + + Uninstall abrt-plugin-rhtsupport Package + The abrt-plugin-rhtsupport package can be removed with the following command: + +$ sudo dnf erase abrt-plugin-rhtsupport + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the +Red Hat Support system. + +# CAUTION: This remediation script will remove abrt-plugin-rhtsupport +# from the system, and may remove any packages +# that depend on abrt-plugin-rhtsupport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-rhtsupport" ; then + dnf remove -y "abrt-plugin-rhtsupport" +fi + + - name: Ensure abrt-plugin-rhtsupport is removed + package: + name: abrt-plugin-rhtsupport + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-plugin-rhtsupport_removed + + include remove_abrt-plugin-rhtsupport + +class remove_abrt-plugin-rhtsupport { + package { 'abrt-plugin-rhtsupport': + ensure => 'purged', + } +} + + +package --remove=abrt-plugin-rhtsupport + + + + + + + + + + Uninstall abrt-plugin-sosreport Package + The abrt-plugin-sosreport package can be removed with the following command: + +$ sudo dnf erase abrt-plugin-sosreport + SRG-OS-000095-GPOS-00049 + CCI-000381 + abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report. + +# CAUTION: This remediation script will remove abrt-plugin-sosreport +# from the system, and may remove any packages +# that depend on abrt-plugin-sosreport. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt-plugin-sosreport" ; then + dnf remove -y "abrt-plugin-sosreport" +fi + + - name: Ensure abrt-plugin-sosreport is removed + package: + name: abrt-plugin-sosreport + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_abrt-plugin-sosreport_removed + + include remove_abrt-plugin-sosreport + +class remove_abrt-plugin-sosreport { + package { 'abrt-plugin-sosreport': + ensure => 'purged', + } +} + + +package --remove=abrt-plugin-sosreport + + + + + + + + + + Uninstall geolite2-city Package + The geolite2-city package can be removed with the following command: + +$ sudo dnf erase geolite2-city + geolite2-city is part of the GeoLite2 database packages, offering geolocation databases and tooling. + +# CAUTION: This remediation script will remove geolite2-city +# from the system, and may remove any packages +# that depend on geolite2-city. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "geolite2-city" ; then + dnf remove -y "geolite2-city" +fi + + - name: Ensure geolite2-city is removed + package: + name: geolite2-city + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_geolite2-city_removed + + include remove_geolite2-city + +class remove_geolite2-city { + package { 'geolite2-city': + ensure => 'purged', + } +} + + +package --remove=geolite2-city + + + + + + + + + + Uninstall geolite2-country Package + The geolite2-country package can be removed with the following command: + +$ sudo dnf erase geolite2-country + geolite2-country is part of the GeoLite2 database packages, offering geolocation databases and tooling. + +# CAUTION: This remediation script will remove geolite2-country +# from the system, and may remove any packages +# that depend on geolite2-country. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "geolite2-country" ; then + dnf remove -y "geolite2-country" +fi + + - name: Ensure geolite2-country is removed + package: + name: geolite2-country + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_geolite2-country_removed + + include remove_geolite2-country + +class remove_geolite2-country { + package { 'geolite2-country': + ensure => 'purged', + } +} + + +package --remove=geolite2-country + + + + + + + + + + Uninstall gssproxy Package + The gssproxy package can be removed with the following command: + +$ sudo dnf erase gssproxy + SRG-OS-000095-GPOS-00049 + SRG-OS-000480-GPOS-00227 + CCI-000381 + CCI-000366 + gssproxy is a proxy for GSS API credential handling. + +# CAUTION: This remediation script will remove gssproxy +# from the system, and may remove any packages +# that depend on gssproxy. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "gssproxy" ; then + dnf remove -y "gssproxy" +fi + + - name: Ensure gssproxy is removed + package: + name: gssproxy + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_gssproxy_removed + + include remove_gssproxy + +class remove_gssproxy { + package { 'gssproxy': + ensure => 'purged', + } +} + + + + + + + + + + Uninstall iprutils Package + The iprutils package can be removed with the following command: + +$ sudo dnf erase iprutils + SRG-OS-000095-GPOS-00049 + SRG-OS-000480-GPOS-00227 + CCI-000366 + iprutils provides a suite of utlilities to manage and configure SCSI devices +supported by the ipr SCSI storage device driver. + +# CAUTION: This remediation script will remove iprutils +# from the system, and may remove any packages +# that depend on iprutils. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "iprutils" ; then + dnf remove -y "iprutils" +fi + + - name: Ensure iprutils is removed + package: + name: iprutils + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_iprutils_removed + + include remove_iprutils + +class remove_iprutils { + package { 'iprutils': + ensure => 'purged', + } +} + + +package --remove=iprutils + + + + + + + + + + Uninstall krb5-workstation Package + The krb5-workstation package can be removed with the following command: + +$ sudo dnf erase krb5-workstation + SRG-OS-000095-GPOS-00049 + SRG-OS-000120-GPOS-00061 + CCI-000803 + Kerberos is a network authentication system. The krb5-workstation package contains the basic +Kerberos programs (kinit, klist, kdestroy, kpasswd). + +Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, +nor is it permitted in many regulatory environments such as HIPAA. + +# CAUTION: This remediation script will remove krb5-workstation +# from the system, and may remove any packages +# that depend on krb5-workstation. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "krb5-workstation" ; then + dnf remove -y "krb5-workstation" +fi + + - name: Ensure krb5-workstation is removed + package: + name: krb5-workstation + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_krb5-workstation_removed + + include remove_krb5-workstation + +class remove_krb5-workstation { + package { 'krb5-workstation': + ensure => 'purged', + } +} + + +package --remove=krb5-workstation + + + + + + + + + + Uninstall tuned Package + The tuned package can be removed with the following command: + +$ sudo dnf erase tuned + SRG-OS-000095-GPOS-00049 + SRG-OS-000480-GPOS-00227 + CCI-000366 + tuned contains a daemon that tunes the system settings dynamically. +It does so by monitoring the usage of several system components periodically. Based +on that information, components will then be put into lower or higher power savings +modes to adapt to the current usage. + +# CAUTION: This remediation script will remove tuned +# from the system, and may remove any packages +# that depend on tuned. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "tuned" ; then + dnf remove -y "tuned" +fi + + - name: Ensure tuned is removed + package: + name: tuned + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_tuned_removed + + include remove_tuned + +class remove_tuned { + package { 'tuned': + ensure => 'purged', + } +} + + +package --remove=tuned + + + + + + + + + + + Sudo + Sudo, which stands for "su 'do'", provides the ability to delegate authority +to certain users, groups of users, or system administrators. When configured for system +users and/or groups, Sudo can allow a user or group to execute privileged commands +that normally only root is allowed to execute. + +For more information on Sudo and addition Sudo configuration options, see +https://www.sudo.ws. + + Group name dedicated to the use of sudo + Specify the name of the group that should own /usr/bin/sudo. + root + sudogrp + + + Sudo - umask value + Specify the sudo umask to use. The actual umask value that is used is the union +of the user's umask and the sudo umask. +The default sudo umask is 0022. This guarantess sudo never lowers the umask when +running a command. + 0022 + 0022 + 0027 + + + Install sudo Package + The sudo package can be installed with the following command: + +$ sudo dnf install sudo + CM-6(a) + SRG-OS-000324-GPOS-00125 + 1382 + 1384 + 1386 + BP28(R19) + sudo is a program designed to allow a system administrator to give +limited root privileges to users and log root activity. The basic philosophy +is to give as few privileges as possible but still allow system users to +get their work done. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "sudo" ; then + dnf install -y "sudo" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sudo is installed + package: + name: sudo + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_sudo_installed + + include install_sudo + +class install_sudo { + package { 'sudo': + ensure => 'installed', + } +} + + +package --add=sudo + + +[[packages]] +name = "sudo" +version = "*" + + + + + + + + + + Explicit arguments in sudo specifications + All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. +If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification. + This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments. + The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, root ALL=(ALL) echo 1\,2 allows root to execute echo 1,2, but the check would interpret it as two commands echo 1\ and 2. + BP28(R63) + Any argument can modify quite significantly the behavior of a program, whether regarding the +realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To +avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the +level of its specification. + +For example, on some systems, the kernel messages are only accessible by root. +If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted +in order to prevent the user from flushing the buffer through the -c option: + +user ALL = dmesg "" + + + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + The sudo !authenticate option, when specified, allows a user to execute commands using +sudo without having to authenticate. This should be disabled by making sure that the +!authenticate option does not exist in /etc/sudoers configuration file or +any sudo configuration snippets in /etc/sudoers.d/. + BP28(R5) + BP28(R59) + CCI-002038 + IA-11 + CM-6(a) + PR.AC-1 + PR.AC-7 + SRG-OS-000373-GPOS-00156 + SRG-OS-000373-GPOS-00157 + SRG-OS-000373-GPOS-00158 + SRG-OS-000373-VMM-001470 + SRG-OS-000373-VMM-001480 + SRG-OS-000373-VMM-001490 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.5.1 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. + +for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do + matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "!authenticate" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done + + - name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_remove_no_authenticate + +- name: Remove lines containing !authenticate from sudoers files + replace: + regexp: (^(?!#).*[\s]+\!authenticate.*$) + replace: '# \g<1>' + path: '{{ item.path }}' + validate: /usr/sbin/visudo -cf %s + with_items: + - path: /etc/sudoers + - '{{ sudoers.files }}' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_remove_no_authenticate + + + + + + + + + + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC + The sudo NOEXEC tag, when specified, prevents user executed +commands from executing other commands, like a shell for example. +This should be enabled by making sure that the NOEXEC tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. + BP28(R58) + Restricting the capability of sudo allowed commands to execute sub-commands +prevents users from running programs with privileges they wouldn't have otherwise. + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P "^[\s]*Defaults.*\bnoexec\b.*$" /etc/sudoers; then + # sudoers file doesn't define Option noexec + echo "Defaults noexec" >> /etc/sudoers + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + + - name: Ensure noexec is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\bnoexec\b.*$ + line: Defaults noexec + validate: /usr/sbin/visudo -cf %s + tags: + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sudo_add_noexec + + + + + + + + + + Ensure invoking users password for privilege escalation when using sudo + The sudoers security policy requires that users authenticate themselves before they can use sudo. +When sudoers requires authentication, it validates the invoking user's credentials. +The expected output for: +sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' + /etc/sudoers:Defaults !targetpw + /etc/sudoers:Defaults !rootpw + /etc/sudoers:Defaults !runaspw + CCI-000366 + SRG-OS-000480-GPOS-00227 + If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt +the invoking user for the "root" user password. + +if [ -e "/etc/sudoers" ] ; then + LC_ALL=C sed -i "/Defaults !targetpw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !targetpw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" +if [ -e "/etc/sudoers" ] ; then + LC_ALL=C sed -i "/Defaults !rootpw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !rootpw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" +if [ -e "/etc/sudoers" ] ; then + LC_ALL=C sed -i "/Defaults !runaspw/d" "/etc/sudoers" +else + touch "/etc/sudoers" +fi +cp "/etc/sudoers" "/etc/sudoers.bak" +# Insert at the end of the file +printf '%s\n' "Defaults !runaspw" >> "/etc/sudoers" +# Clean up after ourselves. +rm "/etc/sudoers.bak" + + - name: Ensure that Defaults !targetpw is defined in sudoers + lineinfile: + path: /etc/sudoers + create: true + line: Defaults !targetpw + state: present + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudoers_validate_passwd + +- name: Ensure that Defaults !rootpw is defined in sudoers + lineinfile: + path: /etc/sudoers + create: true + line: Defaults !rootpw + state: present + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudoers_validate_passwd + +- name: Ensure that Defaults !runaspw is defined in sudoers + lineinfile: + path: /etc/sudoers + create: true + line: Defaults !runaspw + state: present + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudoers_validate_passwd + + + + + + + + + + Don't target root user in the sudoers file + The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). + +User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used. + This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. + BP28(R60) + It is common that the command to be executed does not require superuser rights (editing a file +whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit +any attempt of privilege escalation through a command, it is better to apply normal user rights. + + + + + + + + + + Only the VDSM User Can Use sudo NOPASSWD + The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/. + Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. + + + + + + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty + The sudo use_pty tag, when specified, will only execute sudo +commands from users logged in to a real tty. +This should be enabled by making sure that the use_pty tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. + BP28(R58) + Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining +access to the user's terminal after the main program has finished executing. + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P "^[\s]*Defaults.*\buse_pty\b.*$" /etc/sudoers; then + # sudoers file doesn't define Option use_pty + echo "Defaults use_pty" >> /etc/sudoers + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + + - name: Ensure use_pty is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\buse_pty\b.*$ + line: Defaults use_pty + validate: /usr/sbin/visudo -cf %s + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_use_pty + + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo + The sudo NOPASSWD and !authenticate option, when +specified, allows a user to execute commands using sudo without having to +authenticate. This should be disabled by making sure that +NOPASSWD and/or !authenticate do not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/." + IA-11 + CM-6(a) + PR.AC-1 + PR.AC-7 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.5.1 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + SRG-OS-000373-GPOS-00156 + CCI-002038 + Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. + +for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do + matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "NOPASSWD" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done + +for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do + matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "!authenticate" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done + + - name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_require_authentication + +- name: Remove lines containing NOPASSWD from sudoers files + replace: + regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) + replace: '# \g<1>' + path: '{{ item.path }}' + validate: /usr/sbin/visudo -cf %s + with_items: + - path: /etc/sudoers + - '{{ sudoers.files }}' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_require_authentication + +- name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_require_authentication + +- name: Remove lines containing !authenticate from sudoers files + replace: + regexp: (^(?!#).*[\s]+\!authenticate.*$) + replace: '# \g<1>' + path: '{{ item.path }}' + validate: /usr/sbin/visudo -cf %s + with_items: + - path: /etc/sudoers + - '{{ sudoers.files }}' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_require_authentication + + + + + + + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty + The sudo requiretty tag, when specified, will only execute sudo +commands from users logged in to a real tty. +This should be enabled by making sure that the requiretty tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. + BP28(R58) + Restricting the use cases in which a user is allowed to execute sudo commands +reduces the attack surface. + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P "^[\s]*Defaults.*\brequiretty\b.*$" /etc/sudoers; then + # sudoers file doesn't define Option requiretty + echo "Defaults requiretty" >> /etc/sudoers + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi + + - name: Ensure requiretty is enabled in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: ^[\s]*Defaults.*\brequiretty\b.*$ + line: Defaults requiretty + validate: /usr/sbin/visudo -cf %s + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_add_requiretty + + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/. + BP28(R5) + BP28(R59) + CCI-002038 + IA-11 + CM-6(a) + PR.AC-1 + PR.AC-7 + SRG-OS-000373-GPOS-00156 + SRG-OS-000373-GPOS-00157 + SRG-OS-000373-GPOS-00158 + SRG-OS-000373-VMM-001470 + SRG-OS-000373-VMM-001480 + SRG-OS-000373-VMM-001490 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.5.1 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. + +When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate. + +for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do + matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$matching_list"; then + while IFS= read -r entry; do + # comment out "NOPASSWD" matches to preserve user data + sed -i "s/^${entry}$/# &/g" $f + done <<< "$matching_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done + + - name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_remove_nopasswd + +- name: Remove lines containing NOPASSWD from sudoers files + replace: + regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$) + replace: '# \g<1>' + path: '{{ item.path }}' + validate: /usr/sbin/visudo -cf %s + with_items: + - path: /etc/sudoers + - '{{ sudoers.files }}' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-11 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sudo_remove_nopasswd + + + + + + + + + + Don't define allowed commands in sudoers by means of exclusion + Policies applied by sudo through the sudoers file should not involve negation. + +Each user specification in the sudoers file contains a comma-delimited list of command specifications. +The definition can make use glob patterns, as well as of negations. +Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs. + This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue. + BP28(R61) + Specifying access right using negation is inefficient and can be easily circumvented. +For example, it is expected that a specification like +# To avoid absolutely , this rule can be easily circumvented! +user ALL = ALL ,!/ bin/sh + prevents the execution of the shell +but that’s not the case: just copy the binary /bin/sh to a different name to make it executable +again through the rule keyword ALL. + + + + + + + + + + + GNOME Desktop Environment + GNOME is a graphical desktop environment bundled with many Linux distributions that +allow users to easily interact with the operating system graphically rather than +textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user +switching contexts as well as display server management. + +GNOME is developed by the GNOME Project and is considered the default + +Red Hat Graphical environment. + + +For more information on GNOME and the GNOME Project, see https://www.gnome.org. + + + Remove the GDM Package Group + By removing the gdm package, the system no longer has GNOME installed +installed. If X Windows is not installed then the system cannot boot into graphical user mode. +This prevents the system from being accidentally or maliciously booted into a graphical.target +mode. To do so, run the following command: +$ sudo yum remove gdm + CM-7(a) + CM-7(b) + CM-6(a) + SRG-OS-000480-GPOS-00227 + Unnecessary service packages must not be installed to decrease the attack surface of the system. +A graphical environment is unnecessary for certain types of systems including a virtualization +hypervisor. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# CAUTION: This remediation script will remove gdm +# from the system, and may remove any packages +# that depend on gdm. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "gdm" ; then + dnf remove -y "gdm" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_gdm_removed + +- name: Ensure gdm is removed + package: + name: gdm + state: absent + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_gdm_removed + + include remove_gdm + +class remove_gdm { + package { 'gdm': + ensure => 'purged', + } +} + + +package --remove=gdm + + + + + + + + + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles + By default, DConf uses a binary database as a data backend. +The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the dconf update command. + SRG-OS-000480-GPOS-00227 + 164.308(a)(1)(ii)(B) + 164.308(a)(5)(ii)(A) + Unlike text-based keyfiles, the binary database is impossible to check by OVAL. +Therefore, in order to evaluate dconf configuration, both have to be true at the same time - +configuration files have to be compliant, and the database needs to be more recent than those keyfiles, +which gives confidence that it reflects them. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Configure GNOME3 DConf User Profile + By default, DConf provides a standard user profile. This profile contains a list +of DConf configuration databases. The user profile and database always take the +highest priority. As such the DConf User profile should always exist and be +configured correctly. + + +To make sure that the user profile is configured correctly, the /etc/dconf/profile/user +should be set as follows: +user-db:user +system-db:local +system-db:site +system-db:distro + + Failure to have a functional DConf profile prevents GNOME3 configuration settings +from being enforced for all users and allows various security risks. + + + + + + + + + + GNOME Network Settings + GNOME network settings that apply to the graphical interface. + + + Disable WIFI Network Notification in GNOME3 + By default, GNOME disables WIFI notification. This should be permanently set +so that users do not connect to a wireless network when the system finds one. +While useful for mobile devices, this setting should be disabled for all other systems. +To configure the system to disable the WIFI notication, add or set +suppress-wireless-networks-available to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/nm-applet] +suppress-wireless-networks-available=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/nm-applet/suppress-wireless-networks-available +After the settings have been set, run dconf update. + 3.1.16 + Wireless network connections should not be allowed to be configured by general +users on a given system as it could open the system to backdoor attacks. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} + printf '%s=%s\n' "suppress-wireless-networks-available" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*suppress-wireless-networks-available\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*suppress-wireless-networks-available\\s*=\\s*.*/suppress-wireless-networks-available=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/nm-applet\\]|a\\suppress-wireless-networks-available=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/nm-applet/suppress-wireless-networks-available$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/nm-applet/suppress-wireless-networks-available" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_notification + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable WiFi Network Notification in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/nm-applet + option: suppress-wireless-networks-available + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_notification + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 disablement of WiFi + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/nm-applet/suppress-wireless-networks-available + line: /org/gnome/nm-applet/suppress-wireless-networks-available + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_notification + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_notification + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable WIFI Network Connection Creation in GNOME3 + GNOME allows users to create ad-hoc wireless connections through the +NetworkManager applet. Wireless connections should be disabled by +adding or setting disable-wifi-create to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/nm-applet] +disable-wifi-create=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/nm-applet/disable-wifi-create +After the settings have been set, run dconf update. + 3.1.16 + Wireless network connections should not be allowed to be configured by general +users on a given system as it could open the system to backdoor attacks. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/nm-applet\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/nm-applet]" >> ${DCONFFILE} + printf '%s=%s\n' "disable-wifi-create" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*disable-wifi-create\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*disable-wifi-create\\s*=\\s*.*/disable-wifi-create=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/nm-applet\\]|a\\disable-wifi-create=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/nm-applet/disable-wifi-create$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/nm-applet/disable-wifi-create" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_create + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable WiFi Network Connection Creation in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/nm-applet + option: disable-wifi-create + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_create + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 disablement of WiFi + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/nm-applet/disable-wifi-create + line: /org/gnome/nm-applet/disable-wifi-create + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_create + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - dconf_gnome_disable_wifi_create + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + GNOME Remote Access Settings + GNOME remote access settings that apply to the graphical interface. + + + Require Credential Prompting for Remote Access in GNOME3 + By default, GNOME does not require credentials when using Vino for +remote access. To configure the system to require remote credentials, add or set +authentication-methods to ['vnc'] in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/Vino] +authentication-methods=['vnc'] + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/Vino/authentication-methods +After the settings have been set, run dconf update. + 3.1.12 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + Username and password prompting is required for remote access. Otherwise, non-authorized +and nefarious users can access the system freely. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Require Credential Prompting for Remote Access in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/Vino + option: authentication-methods + value: '[''vnc'']' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 Credential Prompting for Remote Access + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/Vino/authentication-methods + line: /org/gnome/Vino/authentication-methods + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - dconf_gnome_remote_access_credential_prompt + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Require Encryption for Remote Access in GNOME3 + By default, GNOME requires encryption when using Vino for remote access. +To prevent remote access encryption from being disabled, add or set +require-encryption to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/Vino] +require-encryption=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/Vino/require-encryption +After the settings have been set, run dconf update. + 3.1.13 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + CM-6(a) + AC-17(a) + AC-17(2) + DE.AE-1 + PR.DS-7 + PR.IP-1 + SRG-OS-000480-GPOS-00227 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + BAI03.08 + BAI07.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS03.01 + A.12.1.1 + A.12.1.2 + A.12.1.4 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 1 + 11 + 12 + 13 + 15 + 16 + 18 + 20 + 3 + 4 + 6 + 9 + Open X displays allow an attacker to capture keystrokes and to execute commands +remotely. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - dconf_gnome_remote_access_encryption + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Require Encryption for Remote Access in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/Vino + option: require-encryption + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - dconf_gnome_remote_access_encryption + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 Encryption for Remote Access + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/Vino/require-encryption + line: /org/gnome/Vino/require-encryption + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - dconf_gnome_remote_access_encryption + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - dconf_gnome_remote_access_encryption + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + GNOME Media Settings + GNOME media settings that apply to the graphical interface. + + + Disable GNOME3 Automount Opening + The system's default desktop environment, GNOME3, will mount +devices and removable media (such as DVDs, CDs and USB flash drives) whenever +they are inserted into the system. To disable automount-open within GNOME3, add or set +automount-open to false in /etc/dconf/db/local.d/00-security-settings. +For example: +[org/gnome/desktop/media-handling] +automount-open=false +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/media-handling/automount-open +After the settings have been set, run dconf update. + 3.1.7 + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-3 + PR.AC-6 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.4 + SR 1.5 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.2 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + 12 + 16 + CCI-001958 + SRG-OS-000114-GPOS-00059 + SRG-OS-000378-GPOS-00163 + SRG-OS-000480-GPOS-00227 + Disabling automatic mounting in GNOME3 can prevent +the introduction of malware via removable media. +It will, however, also prevent desktop users from legitimate use +of removable media. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} + printf '%s=%s\n' "automount-open" "false" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" + if grep -q "^\\s*automount-open\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*automount-open\\s*=\\s*.*/automount-open=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\automount-open=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/automount-open$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/media-handling/automount-open" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount_open + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable GNOME3 Automounting - automount-open + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/media-handling + option: automount-open + value: 'false' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount_open + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 Automounting - automount-open + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/media-handling/automount-open + line: /org/gnome/desktop/media-handling/automount-open + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount_open + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount_open + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable GNOME3 Automounting + The system's default desktop environment, GNOME3, will mount +devices and removable media (such as DVDs, CDs and USB flash drives) whenever +they are inserted into the system. To disable automount within GNOME3, add or set +automount to false in /etc/dconf/db/local.d/00-security-settings. +For example: +[org/gnome/desktop/media-handling] +automount=false +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/media-handling/automount +After the settings have been set, run dconf update. + 3.1.7 + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-3 + PR.AC-6 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.4 + SR 1.5 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.2 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + 12 + 16 + Disabling automatic mounting in GNOME3 can prevent +the introduction of malware via removable media. +It will, however, also prevent desktop users from legitimate use +of removable media. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + +- name: Disable GNOME3 Automounting - automount + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/media-handling + option: automount + value: 'false' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + +- name: Prevent user modification of GNOME3 Automounting - automount + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/media-handling/automount + line: /org/gnome/desktop/media-handling/automount + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_automount + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + + + + + + + + + + Disable All GNOME3 Thumbnailers + The system's default desktop environment, GNOME3, uses +a number of different thumbnailer programs to generate thumbnails +for any new or modified content in an opened folder. To disable the +execution of these thumbnail applications, add or set disable-all +to true in /etc/dconf/db/local.d/00-security-settings. +For example: +[org/gnome/desktop/thumbnailers] +disable-all=true +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/thumbnailers/disable-all +After the settings have been set, run dconf update. +This effectively prevents an attacker from gaining access to a +system through a flaw in GNOME3's Nautilus thumbnail creators. + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious +file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem +(via a web upload for example) and assuming a user browses the same location using Nautilus, the +malicious file would exploit the thumbnailer with the potential for malicious code execution. It +is best to disable these thumbnailer applications unless they are explicitly required. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_thumbnailers + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + +- name: Disable All GNOME3 Thumbnailers + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/thumbnailers + option: disable-all + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_thumbnailers + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + +- name: Prevent user modification of GNOME3 Thumbnailers + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/thumbnailers/disable-all + line: /org/gnome/desktop/thumbnailers/disable-all + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_thumbnailers + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_thumbnailers + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_severity + - unknown_strategy + + + + + + + + + + Disable GNOME3 Automount running + The system's default desktop environment, GNOME3, will mount +devices and removable media (such as DVDs, CDs and USB flash drives) whenever +they are inserted into the system. To disable autorun-never within GNOME3, add or set +autorun-never to true in /etc/dconf/db/local.d/00-security-settings. +For example: +[org/gnome/desktop/media-handling] +autorun-never=true +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/media-handling/autorun-never +After the settings have been set, run dconf update. + 3.1.7 + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-3 + PR.AC-6 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.4 + SR 1.5 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.2 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + 12 + 16 + CCI-001958 + SRG-OS-000114-GPOS-00059 + SRG-OS-000378-GPOS-00163 + SRG-OS-000480-GPOS-00227 + Disabling automatic mount running in GNOME3 can prevent +the introduction of malware via removable media. +It will, however, also prevent desktop users from legitimate use +of removable media. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/media-handling\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/media-handling]" >> ${DCONFFILE} + printf '%s=%s\n' "autorun-never" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*autorun-never\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*autorun-never\\s*=\\s*.*/autorun-never=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/media-handling\\]|a\\autorun-never=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/media-handling/autorun-never$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/media-handling/autorun-never" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable GNOME3 Automounting - autorun-never + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/media-handling + option: autorun-never + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 Automounting - autorun-never + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/media-handling/autorun-never + line: /org/gnome/desktop/media-handling/autorun-never + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_autorun + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + GNOME System Settings + GNOME provides configuration and functionality to a graphical desktop environment +that changes grahical configurations or allow a user to perform +actions that users normally would not be able to do in non-graphical mode such as +remote access configuration, power policies, Geo-location, etc. +Configuring such settings in GNOME will prevent accidential graphical configuration +changes by users from taking place. + + + Disable Power Settings in GNOME3 + By default, GNOME enables a power profile designed for mobile devices +with battery usage. While useful for mobile devices, this setting should be disabled +for all other systems. To configure the system to disable the power setting, add or set +active to false in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/settings-daemon/plugins/power] +active=false + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/settings-daemon/plugins/power +After the settings have been set, run dconf update. + Power settings should not be enabled on systems that are not mobile devices. +Enabling power settings on non-mobile devices could have unintended processing +consequences on standard systems. + + + + + + + + + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + By default, GNOME will reboot the system if the +Ctrl-Alt-Del key sequence is pressed. + +To configure the system to ignore the Ctrl-Alt-Del key sequence +from the Graphical User Interface (GUI) instead of rebooting the system, +add or set logout to '' in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/settings-daemon/plugins/media-keys] +logout='' +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent +user modification. For example: +/org/gnome/settings-daemon/plugins/media-keys/logout +After the settings have been set, run dconf update. + 3.1.2 + CCI-000366 + CM-6(a) + AC-6(1) + CM-7(b) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + A locally logged-in user who presses Ctrl-Alt-Del, when at the console, +can reboot the system. If accidentally pressed, as could happen in +the case of mixed OS environment, this can create the risk of short-term +loss of availability of systems due to unintentional reboot. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/plugins/media-keys\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/settings-daemon/plugins/media-keys]" >> ${DCONFFILE} + printf '%s=%s\n' "logout" "''" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "''")" + if grep -q "^\\s*logout\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*logout\\s*=\\s*.*/logout=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/settings-daemon/plugins/media-keys\\]|a\\logout=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/plugins/media-keys/logout$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/settings-daemon/plugins/media-keys/logout" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/settings-daemon/plugins/media-keys + option: logout + value: '''''' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME disablement of Ctrl-Alt-Del + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/settings-daemon/plugins/media-keys/logout + line: /org/gnome/settings-daemon/plugins/media-keys/logout + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_ctrlaltdel_reboot + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable User Administration in GNOME3 + By default, GNOME will allow all users to have some administratrion +capability. This should be disabled so that non-administrative users are not making +configuration changes. To configure the system to disable user administration +capability in the Graphical User Interface (GUI), add or set +user-administration-disabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/lockdown] +user-administration-disabled=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/lockdown/user-administration-disabled +After the settings have been set, run dconf update. + 3.1.5 + FMT_MOD_EXT.1 + Allowing all users to have some administratrive capabilities to the system through +the Graphical User Interface (GUI) when they would not have them otherwise could allow +unintended configuration changes as well as a nefarious user the capability to make system +changes such as adding new accounts, etc. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/lockdown\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/lockdown]" >> ${DCONFFILE} + printf '%s=%s\n' "user-administration-disabled" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*user-administration-disabled\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*user-administration-disabled\\s*=\\s*.*/user-administration-disabled=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/lockdown\\]|a\\user-administration-disabled=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/lockdown/user-administration-disabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/lockdown/user-administration-disabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Detect if user-administration-disabled can be found on /etc/dconf/db/local.d/ + find: + path: /etc/dconf/db/local.d/ + contains: ^\s*user-administration-disabled + register: dconf_gnome_disable_user_admin_config_files + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Configure user-administration-disabled - default file + ini_file: + dest: /etc/dconf/db/local.d//00-security-settings + section: org/gnome/desktop/lockdown + option: user-administration-disabled + value: 'true' + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_disable_user_admin_config_files is defined and dconf_gnome_disable_user_admin_config_files.matched + == 0 + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Configure user-administration-disabled - existing files + ini_file: + dest: '{{ item.path }}' + section: org/gnome/desktop/lockdown + option: user-administration-disabled + value: 'true' + create: true + with_items: '{{ dconf_gnome_disable_user_admin_config_files.files }}' + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_disable_user_admin_config_files is defined and dconf_gnome_disable_user_admin_config_files.matched + > 0 + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Detect if lock for user-administration-disabled can be found on /etc/dconf/db/local.d/ + find: + path: /etc/dconf/db/local.d/locks + contains: ^\s*user-administration-disabled + register: dconf_gnome_disable_user_admin_lock_files + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification user-administration-disabled - default file + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled + line: /org/gnome/desktop/lockdown/user-administration-disabled + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_disable_user_admin_lock_files is defined and dconf_gnome_disable_user_admin_lock_files.matched + == 0 + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification user-administration-disabled - existing files + lineinfile: + path: '{{ item.path }}' + regexp: ^/org/gnome/desktop/lockdown/user-administration-disabled + line: /org/gnome/desktop/lockdown/user-administration-disabled + create: true + with_items: '{{ dconf_gnome_disable_user_admin_lock_files.files }}' + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_disable_user_admin_lock_files is defined and dconf_gnome_disable_user_admin_lock_files.matched + > 0 + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update - user-administration-disabled + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.5 + - dconf_gnome_disable_user_admin + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable Geolocation in GNOME3 + GNOME allows the clock and applications to track and access +location information. This setting should be disabled as applications +should not track system location. To configure the system to disable +location tracking, add or set enabled to false in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/system/location] +enabled=false +To configure the clock to disable location tracking, add or set +geolocation to false in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/clocks] +geolocation=false +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent +user modification. For example: +/org/gnome/system/location/enabled +/org/gnome/clocks/geolocation +After the settings have been set, run dconf update. + Power settings should not be enabled on systems that are not mobile devices. +Enabling power settings on non-mobile devices could have unintended processing +consequences on standard systems. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Geolocation in GNOME3 - location tracking + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/system/location + option: enabled + value: 'false' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Geolocation in GNOME3 - clock location tracking + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/clocks + option: gelocation + value: 'false' + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME geolocation - location tracking + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/system/location/enabled + line: /org/gnome/system/location/enabled + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME geolocation - clock location tracking + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/clocks/geolocation + line: /org/gnome/clocks/geolocation + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_disable_geolocation + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + Configure GNOME Screen Locking + In the default GNOME3 desktop, the screen can be locked +by selecting the user name in the far right corner of the main panel and +selecting Lock. + +The following sections detail commands to enforce idle activation of the screensaver, +screen locking, a blank-screen screensaver, and an idle activation time. + +Because users should be trained to lock the screen when they +step away from the computer, the automatic locking feature is only +meant as a backup. + +The root account can be screen-locked; however, the root account should +never be used to log into an X Windows environment and should only +be used to for direct login via console in emergency circumstances. + +For more information about enforcing preferences in the GNOME3 environment using the DConf +configuration system, see http://wiki.gnome.org/dconf and +the man page dconf(1). + + + Screensaver Inactivity timeout + Choose allowed duration (in seconds) of inactive graphical sessions + 600 + 900 + 1800 + 300 + 900 + + + Screensaver Lock Delay + Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt + 10 + 5 + 0 + 0 + + + Ensure Users Cannot Change GNOME3 Session Idle Settings + If not already configured, ensure that users cannot change GNOME3 session idle settings +by adding /org/gnome/desktop/session/idle-delay +to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/session/idle-delay +After the settings have been set, run dconf update. + 3.1.10 + CCI-000057 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, +GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the +session lock. As such, users should not be allowed to change session settings. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_session_idle_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME Session idle-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/session/idle-delay + line: /org/gnome/desktop/session/idle-delay + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_session_idle_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_session_idle_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable Full User Name on Splash Shield + By default when the screen is locked, the splash shield will show the user's +full name. This should be disabled to prevent casual observers from seeing +who has access to the system. This can be disabled by adding or setting +show-full-name-in-top-bar to false in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +show-full-name-in-top-bar=false + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/show-full-name-in-top-bar +After the settings have been set, run dconf update. + FMT_MOF_EXT.1 + Setting the splash screen to not reveal the logged in user's name +conceals who has access to the system from passersby. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} + printf '%s=%s\n' "show-full-name-in-top-bar" "false" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "false")" + if grep -q "^\\s*show-full-name-in-top-bar\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*show-full-name-in-top-bar\\s*=\\s*.*/show-full-name-in-top-bar=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\show-full-name-in-top-bar=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/show-full-name-in-top-bar" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - dconf_gnome_screensaver_user_info + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable Full Username on Splash Screen + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: show-full-name-in-top-bar + value: 'false' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_screensaver_user_info + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME show-full-name-in-top-bar + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar + line: /org/gnome/desktop/screensaver/show-full-name-in-top-bar + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_screensaver_user_info + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_screensaver_user_info + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation + If not already configured, ensure that users cannot change GNOME3 screensaver lock settings +by adding /org/gnome/desktop/screensaver/idle-activation-enabled +to /etc/dconf/db/local.d/00-security-settings. +For example: +/org/gnome/desktop/screensaver/idle-activation-enabled +After the settings have been set, run dconf update. + 5.5.5 + 3.1.10 + CCI-000057 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.1.8 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity +of the information system but does not want to logout because of the temporary nature of the absense. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME Screensaver idle-activation-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled + line: /org/gnome/desktop/screensaver/idle-activation-enabled + create: true + when: '"gdm" in ansible_facts.packages' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: '"gdm" in ansible_facts.packages' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period + If not already configured, ensure that users cannot change GNOME3 screensaver lock settings +by adding /org/gnome/desktop/screensaver/lock-enabled +to /etc/dconf/db/local.d/00-security-settings. +For example: +/org/gnome/desktop/screensaver/lock-enabled +After the settings have been set, run dconf update. + 5.5.5 + 3.1.10 + CCI-000056 + CCI-000057 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.1.8 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity +of the information system but does not want to logout because of the temporary nature of the absense. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME Screensaver lock-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled + line: /org/gnome/desktop/screensaver/lock-enabled + create: true + when: '"gdm" in ansible_facts.packages' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: '"gdm" in ansible_facts.packages' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_locked + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Set GNOME3 Screensaver Inactivity Timeout + The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay +setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory +and locked in /etc/dconf/db/local.d/locks directory to prevent user modification. + +For example, to configure the system for a 15 minute delay, add the following to +/etc/dconf/db/local.d/00-security-settings: +[org/gnome/desktop/session] +idle-delay=uint32 900 +Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/session/idle-delay +After the settings have been set, run dconf update. + 5.5.5 + 3.1.10 + CCI-000057 + AC-11(a) + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.1.8 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session time-out lock is a temporary action taken when a user stops work and moves away from +the immediate physical vicinity of the information system but does not logout because of the +temporary nature of the absence. Rather than relying on the user to manually lock their operating +system session prior to vacating the vicinity, GNOME3 can be configured to identify when +a user's session has idled and take action to initiate a session lock. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + + +inactivity_timeout_value="" + + + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/session\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/session]" >> ${DCONFFILE} + printf '%s=%s\n' "idle-delay" "uint32 ${inactivity_timeout_value}" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${inactivity_timeout_value}")" + if grep -q "^\\s*idle-delay\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*idle-delay\\s*=\\s*.*/idle-delay=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/session\\]|a\\idle-delay=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/session/idle-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/session/idle-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy +- name: XCCDF Value inactivity_timeout_value # promote to variable + set_fact: + inactivity_timeout_value: !!str + tags: + - always + +- name: Set GNOME3 Screensaver Inactivity Timeout + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/session + option: idle-delay + value: uint32 {{ inactivity_timeout_value }} + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME idle-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/session/idle-delay + line: /org/gnome/desktop/session/idle-delay + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + Enable GNOME3 Screensaver Idle Activation + To activate the screensaver in the GNOME3 desktop after a period of inactivity, +add or set idle-activation-enabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +idle-activation-enabled=true +Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/idle-activation-enabled +After the settings have been set, run dconf update. + 5.5.5 + 3.1.10 + CCI-000057 + CM-6(a) + AC-11(a) + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.1.8 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, +GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the +session lock. + +Enabling idle activation of the screensaver ensures the screensaver will +be activated after the idle delay. Applications requiring continuous, +real-time screen display (such as network management products) require the +login session does not have administrator rights and the display station is located in a +controlled-access area. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} + printf '%s=%s\n' "idle-activation-enabled" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*idle-activation-enabled\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*idle-activation-enabled\\s*=\\s*.*/idle-activation-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\idle-activation-enabled=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/idle-activation-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/idle-activation-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Enable GNOME3 Screensaver Idle Activation + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: idle_activation_enabled + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME idle_activation_enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/idle-activation-enabled + line: /org/gnome/desktop/screensaver/idle-activation-enabled + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_idle_activation_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Enable GNOME3 Screensaver Lock After Idle Period + +To activate locking of the screensaver in the GNOME3 desktop when it is activated, +add or set lock-enabled to true in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +lock-enabled=true + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/lock-enabled +After the settings have been set, run dconf update. + 5.5.5 + 3.1.10 + CCI-000056 + CCI-000058 + CCI-000060 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.1.8 + SRG-OS-000028-GPOS-00009 + SRG-OS-000030-GPOS-00011 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity +of the information system but does not want to logout because of the temporary nature of the absense. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} + printf '%s=%s\n' "lock-enabled" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*lock-enabled\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*lock-enabled\\s*=\\s*.*/lock-enabled=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-enabled=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-enabled$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/lock-enabled" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Enable GNOME3 Screensaver Lock After Idle Period + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: lock-enabled + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME lock-enabled + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-enabled + line: /org/gnome/desktop/screensaver/lock-enabled + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Check GNOME3 screenserver disable-lock-screen false + command: gsettings get org.gnome.desktop.lockdown disable-lock-screen + register: cmd_out + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Update GNOME3 screenserver disable-lock-screen false + command: gsettings set org.gnome.desktop.lockdown disable-lock-screen false + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_distribution == 'SLES' + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Implement Blank Screensaver + + + +To set the screensaver mode in the GNOME3 desktop to a blank screen, +add or set picture-uri to string '' in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +picture-uri='' + +Once the settings have been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/picture-uri +After the settings have been set, run dconf update. + 5.5.5 + 3.1.10 + CCI-000060 + AC-11(1) + CM-6(a) + AC-11(1).1 + PR.AC-7 + SRG-OS-000031-GPOS-00012 + FMT_MOF_EXT.1 + Req-8.1.8 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + Setting the screensaver mode to blank-only conceals the +contents of the display from passersby. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} + printf '%s=%s\n' "picture-uri" "string ''" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "string ''")" + if grep -q "^\\s*picture-uri\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*picture-uri\\s*=\\s*.*/picture-uri=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\picture-uri=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/picture-uri$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/picture-uri" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Implement Blank Screensaver + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: picture-uri + value: string '' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME picture-uri + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/picture-uri + line: /org/gnome/desktop/screensaver/picture-uri + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.5 + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(1) + - NIST-800-53-AC-11(1).1 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_mode_blank + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Set GNOME3 Screensaver Lock Delay After Activation Period + To activate the locking delay of the screensaver in the GNOME3 desktop when +the screensaver is activated, add or set lock-delay to uint32 in +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/desktop/screensaver] +lock-delay=uint32 + +Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/lock-delay +After the settings have been set, run dconf update. + 3.1.10 + CCI-000056 + CCI-000057 + AC-11(a) + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.1.8 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity +of the information system but does not want to logout because of the temporary nature of the absense. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + + +var_screensaver_lock_delay="" + + + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/desktop/screensaver\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/desktop/screensaver]" >> ${DCONFFILE} + printf '%s=%s\n' "lock-delay" "uint32 ${var_screensaver_lock_delay}" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "uint32 ${var_screensaver_lock_delay}")" + if grep -q "^\\s*lock-delay\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*lock-delay\\s*=\\s*.*/lock-delay=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/desktop/screensaver\\]|a\\lock-delay=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Set GNOME3 Screensaver Lock Delay After Activation Period + ini_file: + dest: /etc/dconf/db/local.d/00-security-settings + section: org/gnome/desktop/screensaver + option: lock-delay + value: uint32 5 + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME lock-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-delay + line: /org/gnome/desktop/screensaver/lock-delay + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-AC-11(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.8 + - dconf_gnome_screensaver_lock_delay + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Settings + If not already configured, ensure that users cannot change GNOME3 screensaver lock settings +by adding /org/gnome/desktop/screensaver/lock-delay +to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/desktop/screensaver/lock-delay +After the settings have been set, run dconf update. + 3.1.10 + CCI-000057 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000029-GPOS-00010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, +GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the +session lock. As such, users should not be allowed to change session settings. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/desktop/screensaver/lock-delay$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/desktop/screensaver/lock-delay" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_screensaver_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME lock-delay + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/desktop/screensaver/lock-delay + line: /org/gnome/desktop/screensaver/lock-delay + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_screensaver_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - dconf_gnome_screensaver_user_locks + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + Configure GNOME Login Screen + In the default GNOME desktop, the login is displayed after system boot +and can display user accounts, allow users to reboot the system, and allow users to +login automatically and/or with a guest account. The login screen should be configured +to prevent such behavior. + + +For more information about enforcing preferences in the GNOME3 environment using the DConf +configuration system, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/index.html/> and the man page dconf(1). + + + Disable GDM Automatic Login + The GNOME Display Manager (GDM) can allow users to automatically login without +user interaction or credentials. User should always be required to authenticate themselves +to the system that they are authorized to use. To disable user ability to automatically +login to the system, set the AutomaticLoginEnable to false in the +[daemon] section in /etc/gdm/custom.conf. For example: +[daemon] +AutomaticLoginEnable=false + 3.1.1 + CCI-000366 + CM-6(a) + AC-6(1) + CM-7(b) + PR.IP-1 + FIA_UAU.1 + SRG-OS-000480-GPOS-00229 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Failure to restrict system access to authenticated users negatively impacts operating +system security. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +if rpm --quiet -q gdm +then + if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + AutomaticLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - gnome_gdm_disable_automatic_login + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Disable GDM Automatic Login + ini_file: + dest: /etc/gdm/custom.conf + section: daemon + option: AutomaticLoginEnable + value: 'false' + no_extra_spaces: true + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.1 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - gnome_gdm_disable_automatic_login + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Set the GNOME3 Login Number of Failures + In the default graphical environment, the GNOME3 login +screen and be configured to restart the authentication process after +a configured number of attempts. This can be configured by setting +allowed-failures to 3 or less. + +To enable, add or edit allowed-failures to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +allowed-failures=3 +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/allowed-failures +After the settings have been set, run dconf update. + 3.1.8 + FMT_MOF_EXT.1 + Setting the password retry prompts that are permitted on a per-session basis to a low value +requires some software, such as SSH, to re-connect. This can slow down and +draw additional attention to some types of password-guessing attacks. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} + printf '%s=%s\n' "allowed-failures" "3" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "3")" + if grep -q "^\\s*allowed-failures\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*allowed-failures\\s*=\\s*.*/allowed-failures=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\allowed-failures=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/allowed-failures$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/login-screen/allowed-failures" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.8 + - dconf_gnome_login_retries + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Enable the GNOME3 Login Number of Failures + ini_file: + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: allowed-failures + value: '3' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.8 + - dconf_gnome_login_retries + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 Login Number of Failures + lineinfile: + path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock + regexp: ^/org/gnome/login-screen/allowed-failures + line: /org/gnome/login-screen/allowed-failures + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.8 + - dconf_gnome_login_retries + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.8 + - dconf_gnome_login_retries + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable XDMCP in GDM + XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. +XDMCP Gnome docs. + +To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in /etc/gdm/custom.conf. For example: + +[xdmcp] +Enable=false + + XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does +not provide for the confidentiality and integrity of user passwords or the +remote session. If a privileged user were to login using XDMCP, the +privileged user password could be compromised due to typed XEvents +and keystrokes will traversing over the network in clear text. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Try find '[xdmcp]' and 'Enable' in '/etc/gdm/custom.conf', if it exists, set +# to 'false', if it isn't here, add it, if '[xdmcp]' doesn't exist, add it there +if grep -qzosP '[[:space:]]*\[xdmcp]([^\n\[]*\n+)+?[[:space:]]*Enable' '/etc/gdm/custom.conf'; then + sed -i 's/Enable[^(\n)]*/Enable=false/' '/etc/gdm/custom.conf' +elif grep -qs '[[:space:]]*\[xdmcp]' '/etc/gdm/custom.conf'; then + sed -i '/[[:space:]]*\[xdmcp]/a Enable=false' '/etc/gdm/custom.conf' +else + if test -d "/etc/gdm"; then + printf '%s\n' '[xdmcp]' 'Enable=false' >> '/etc/gdm/custom.conf' + else + echo "Config file directory '/etc/gdm' doesnt exist, not remediating, assuming non-applicability." >&2 + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - gnome_gdm_disable_xdmcp + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Disable XDMCP in GDM + ini_file: + path: /etc/gdm/custom.conf + section: xdmcp + option: Enable + value: 'false' + create: true + mode: 420 + when: '"gdm" in ansible_facts.packages' + tags: + - gnome_gdm_disable_xdmcp + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable the GNOME3 Login User List + In the default graphical environment, users logging directly into the +system are greeted with a login screen that displays all known users. +This functionality should be disabled by setting disable-user-list +to true. + +To disable, add or edit disable-user-list to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +disable-user-list=true +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent +user modification. For example: +/org/gnome/login-screen/disable-user-list +After the settings have been set, run dconf update. + CM-6(a) + AC-23 + Leaving the user list enabled is a security risk since it allows anyone +with physical access to the system to quickly enumerate known user accounts +without logging in. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AC-23 + - NIST-800-53-CM-6(a) + - dconf_gnome_disable_user_list + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Disable the GNOME3 Login User List + ini_file: + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: disable-user-list + value: 'true' + no_extra_spaces: true + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-23 + - NIST-800-53-CM-6(a) + - dconf_gnome_disable_user_list + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 disablement of Login User List + lineinfile: + path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock + regexp: ^/org/gnome/login-screen/disable-user-list + line: /org/gnome/login-screen/disable-user-list + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-23 + - NIST-800-53-CM-6(a) + - dconf_gnome_disable_user_list + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-23 + - NIST-800-53-CM-6(a) + - dconf_gnome_disable_user_list + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable GDM Guest Login + The GNOME Display Manager (GDM) can allow users to login without credentials +which can be useful for public kiosk scenarios. Allowing users to login without credentials +or "guest" account access has inherent security risks and should be disabled. To do disable +timed logins or guest account access, set the TimedLoginEnable to false in +the [daemon] section in /etc/gdm/custom.conf. For example: +[daemon] +TimedLoginEnable=false + 3.1.1 + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + IA-2 + PR.IP-1 + FIA_UAU.1 + SRG-OS-000480-GPOS-00229 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Failure to restrict system access to authenticated users negatively impacts operating +system security. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +if rpm --quiet -q gdm +then + if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf + then + sed -i "/^\[daemon\]/a \ + TimedLoginEnable=False" /etc/gdm/custom.conf + else + sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-2 + - gnome_gdm_disable_guest_login + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Disable GDM Guest Login + ini_file: + dest: /etc/gdm/custom.conf + section: daemon + option: TimedLoginEnable + value: 'false' + no_extra_spaces: true + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-2 + - gnome_gdm_disable_guest_login + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Enable the GNOME3 Login Smartcard Authentication + In the default graphical environment, smart card authentication +can be enabled on the login screen by setting enable-smartcard-authentication +to true. + +To enable, add or edit enable-smartcard-authentication to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +enable-smartcard-authentication=true +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/enable-smartcard-authentication +After the settings have been set, run dconf update. + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000771 + CCI-000772 + CCI-000884 + CCI-001948 + CCI-001954 + IA-2(3) + IA-2(4) + IA-2(8) + IA-2(9) + IA-2(11) + Req-8.3 + SRG-OS-000375-GPOS-00160 + SRG-OS-000376-GPOS-00161 + SRG-OS-000377-GPOS-00162 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(8) + - NIST-800-53-IA-2(9) + - PCI-DSS-Req-8.3 + - dconf_gnome_enable_smartcard_auth + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Enable the GNOME3 Login Smartcard Authentication + ini_file: + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: enable-smartcard-authentication + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(8) + - NIST-800-53-IA-2(9) + - PCI-DSS-Req-8.3 + - dconf_gnome_enable_smartcard_auth + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME3 disablement of Smartcard Authentication + lineinfile: + path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock + regexp: ^/org/gnome/login-screen/enable-smartcard-authentication + line: /org/gnome/login-screen/enable-smartcard-authentication + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(8) + - NIST-800-53-IA-2(9) + - PCI-DSS-Req-8.3 + - dconf_gnome_enable_smartcard_auth + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(8) + - NIST-800-53-IA-2(9) + - PCI-DSS-Req-8.3 + - dconf_gnome_enable_smartcard_auth + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Enable the GNOME3 Screen Locking On Smartcard Removal + In the default graphical environment, screen locking on smartcard removal +can be enabled by setting removal-action +to lock-screen. + +To enable, add or edit removal-action to +/etc/dconf/db/local.d/00-security-settings. For example: +[org/gnome/settings-daemon/peripherals/smartcard] +removal-action=lock-screen +Once the setting has been added, add a lock to +/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/settings-daemon/peripherals/smartcard/removal-action +After the settings have been set, run dconf update. + CCI-000056 + SRG-OS-000028-GPOS-00009 + SRG-OS-000030-GPOS-00011 + Locking the screen automatically when removing the smartcard can +prevent undesired access to system. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/settings-daemon/peripherals/smartcard\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/local.d/00-security-settings" +DBDIR="/etc/dconf/db/local.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/settings-daemon/peripherals/smartcard]" >> ${DCONFFILE} + printf '%s=%s\n' "removal-action" "lock-screen" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "lock-screen")" + if grep -q "^\\s*removal-action\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*removal-action\\s*=\\s*.*/removal-action=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/settings-daemon/peripherals/smartcard\\]|a\\removal-action=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/local.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/settings-daemon/peripherals/smartcard/removal-action" >> "/etc/dconf/db/local.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Detect if removal-action can be found on /etc/dconf/db/local.d/ + find: + path: /etc/dconf/db/local.d/ + contains: ^\s*removal-action + register: dconf_gnome_lock_screen_on_smartcard_removal_config_files + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Configure removal-action - default file + ini_file: + dest: /etc/dconf/db/local.d//00-security-settings + section: org/gnome/settings-daemon/peripherals/smartcard + option: removal-action + value: lock-screen + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched + == 0 + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Configure removal-action - existing files + ini_file: + dest: '{{ item.path }}' + section: org/gnome/settings-daemon/peripherals/smartcard + option: removal-action + value: lock-screen + create: true + with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_config_files.files + }}' + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_config_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_config_files.matched + > 0 + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Detect if lock for removal-action can be found on /etc/dconf/db/local.d/ + find: + path: /etc/dconf/db/local.d/locks + contains: ^\s*removal-action + register: dconf_gnome_lock_screen_on_smartcard_removal_lock_files + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification removal-action - default file + lineinfile: + path: /etc/dconf/db/local.d/locks/00-security-settings-lock + regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched + == 0 + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification removal-action - existing files + lineinfile: + path: '{{ item.path }}' + regexp: ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action + line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action + create: true + with_items: '{{ dconf_gnome_lock_screen_on_smartcard_removal_lock_files.files }}' + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - dconf_gnome_lock_screen_on_smartcard_removal_lock_files is defined and dconf_gnome_lock_screen_on_smartcard_removal_lock_files.matched + > 0 + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update - removal-action + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - dconf_gnome_lock_screen_on_smartcard_removal + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Disable the GNOME3 Login Restart and Shutdown Buttons + In the default graphical environment, users logging directly into the +system are greeted with a login screen that allows any user, known or +unknown, the ability the ability to shutdown or restart the system. This +functionality should be disabled by setting +disable-restart-buttons to true. + +To disable, add or edit disable-restart-buttons to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +disable-restart-buttons=true +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent +user modification. For example: +/org/gnome/login-screen/disable-restart-buttons +After the settings have been set, run dconf update. + 3.1.2 + CCI-000366 + CM-6(a) + AC-6(1) + CM-7(b) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons +are pressed at the login screen, this can create the risk of short-term loss of availability of systems +due to reboot. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_restart_shutdown + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Disable the GNOME3 Login Restart and Shutdown Buttons + ini_file: + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: disable-restart-buttons + value: 'true' + create: true + no_extra_spaces: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_restart_shutdown + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME disablement of Login Restart and Shutdown + Buttons + lineinfile: + path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock + regexp: ^/org/gnome/login-screen/disable-restart-buttons + line: /org/gnome/login-screen/disable-restart-buttons + create: true + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_restart_shutdown + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: + - '"gdm" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - dconf_gnome_disable_restart_shutdown + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + + Disk Partitioning + To ensure separation and protection of data, there +are top-level system directories which should be placed on their +own physical partition or logical volume. The installer's default +partitioning scheme creates separate logical volumes for +/, /boot, and swap. +If starting with any of the default layouts, check the box to +\"Review and modify partitioning.\" This allows for the easy creation +of additional logical volumes inside the volume group already +created, though it may require making /'s logical volume smaller to +create space. In general, using logical volumes is preferable to +using partitions because they can be more easily adjusted +later.If creating a custom layout, create the partitions mentioned in +the previous paragraph (which the installer will require anyway), +as well as separate ones described in the following sections. +If a system has already been installed, and the default +partitioning +scheme was used, it is possible but nontrivial to +modify it to create separate logical volumes for the directories +listed above. The Logical Volume Manager (LVM) makes this possible. +See the LVM HOWTO at + http://tldp.org/HOWTO/LVM-HOWTO/ +for more detailed information on LVM. + + Ensure /usr Located On Separate Partition + It is recommended that the /usr directory resides on a separate +partition. + BP28(R12) + The /usr partition contains system software, utilities and files. +Putting it on a separate partition allows limiting its size and applying +restrictions through mount options. + + +part /usr + + + + + + + + + + Ensure /tmp Located On Separate Partition + The /tmp directory is a world-writable directory used +for temporary file storage. Ensure it has its own partition or +logical volume at installation time, or migrate it using LVM. + BP28(R12) + CCI-000366 + CM-6(a) + SC-5(2) + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + APO13.01 + DSS05.02 + A.13.1.1 + A.13.2.1 + A.14.1.3 + 12 + 15 + 8 + The /tmp partition is used as temporary storage by many programs. +Placing /tmp in its own partition enables the setting of more +restrictive mount options, which can help protect programs which use it. + + +part /tmp + + + + + + + + + + Ensure /home Located On Separate Partition + If user home directories will be stored locally, create a separate partition +for /home at installation time (or migrate it later using LVM). If +/home will be mounted from another system such as an NFS server, then +creating a separate partition is not necessary at installation time, and the +mountpoint can instead be configured later. + BP28(R12) + CCI-000366 + CCI-001208 + CM-6(a) + SC-5(2) + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + APO13.01 + DSS05.02 + A.13.1.1 + A.13.2.1 + A.14.1.3 + 12 + 15 + 8 + Ensuring that /home is mounted on its own partition enables the +setting of more restrictive mount options, and also helps ensure that +users cannot trivially fill partitions used for log or audit data storage. + + +part /home + + + + + + + + + + Ensure /var Located On Separate Partition + The /var directory is used by daemons and other system +services to store frequently-changing data. Ensure that /var has its own partition +or logical volume at installation time, or migrate it using LVM. + BP28(R12) + CCI-000366 + CM-6(a) + SC-5(2) + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SRG-OS-000341-VMM-001220 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + APO13.01 + DSS05.02 + A.13.1.1 + A.13.2.1 + A.14.1.3 + 12 + 15 + 8 + Ensuring that /var is mounted on its own partition enables the +setting of more restrictive mount options. This helps protect +system services such as daemons or other programs which use it. +It is not uncommon for the /var directory to contain +world-writable directories installed by other software packages. + + +part /var + + + + + + + + + + Ensure /var/log Located On Separate Partition + System logs are stored in the /var/log directory. +Ensure that it has its own partition or logical +volume at installation time, or migrate it using LVM. + BP28(R12) + BP28(R47) + CM-6(a) + AU-4 + SC-5(2) + PR.PT-1 + PR.PT-4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO13.01 + BAI03.05 + DSS05.02 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + 1 + 12 + 14 + 15 + 16 + 3 + 5 + 6 + 8 + SRG-OS-000480-GPOS-00227 + CCI-000366 + Placing /var/log in its own partition +enables better separation between log files +and other files in /var/. + + +part /var/log + + + + + + + + + + Ensure /boot Located On Separate Partition + It is recommended that the /boot directory resides on a separate +partition. This makes it easier to apply restrictions e.g. through the +noexec mount option. Eventually, the /boot partition can +be configured not to be mounted automatically with the noauto mount +option. + BP28(R12) + The /boot partition contains the kernel and bootloader files. +Access to this partition should be restricted. + + +part /boot + + + + + + + + + + Ensure /var/log/audit Located On Separate Partition + Audit logs are stored in the /var/log/audit directory. Ensure that it +has its own partition or logical volume at installation time, or migrate it +later using LVM. Make absolutely certain that it is large enough to store all +audit logs that will be created by the auditing daemon. + CCI-000366 + CCI-001849 + 164.312(a)(2)(ii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.17.2.1 + CM-6(a) + AU-4 + SC-5(2) + PR.DS-4 + PR.PT-1 + PR.PT-4 + SRG-OS-000341-GPOS-00132 + SRG-OS-000480-GPOS-00227 + SRG-OS-000341-VMM-001220 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.2 + SR 7.6 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO13.01 + BAI03.05 + BAI04.04 + DSS05.02 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 8 + BP28(R43) + Placing /var/log/audit in its own partition +enables better separation between audit files +and other files, and helps ensure that +auditing cannot be halted due to the partition running out +of space. + + +part /var/log/audit + + + + + + + + + + Ensure /opt Located On Separate Partition + It is recommended that the /opt directory resides on a separate +partition. + BP28(R12) + The /opt partition contains additional software, usually installed +outside the packaging system. Putting this directory on a separate partition +makes it easier to apply restrictions e.g. through the nosuid mount +option. + + +part /opt + + + + + + + + + + Ensure /srv Located On Separate Partition + If a file server (FTP, TFTP...) is hosted locally, create a separate partition +for /srv at installation time (or migrate it later using LVM). If +/srv will be mounted from another system such as an NFS server, then +creating a separate partition is not necessary at installation time, and the +mountpoint can instead be configured later. + BP28(R12) + Srv deserves files for local network file server such as FTP. Ensuring +that /srv is mounted on its own partition enables the setting of +more restrictive mount options, and also helps ensure that +users cannot trivially fill partitions used for log or audit data storage. + + +part /srv + + + + + + + + + + + SAP Specific Requirement + SAP (Systems, Applications and Products in Data Processing) is enterprise +software to manage business operations and customer relations. The +following section contains SAP specific requirement that is not part +of standard or common OS setting. + + Accounts Authorized Local Users on the Operating System + List the user accounts that are authorized locally on the operating system. This list +includes both users requried by the operating system and by the installed applications. +Depending on the Operating System distribution, version, software groups and applications, +the user list is different and can be customized with scap-workbench. +OVAL regular expression is used for the user list. +The list starts with '^' and ends with '$' so that it matches exactly the +username, not any string that includes the username. Users are separated with '|'. +For example, three users: bin, oracle and sapadm are allowd, then the list is +^(bin|oracle|sapadm)$. The user root is the only user that is hard coded +in OVAL that is always allowed on the operating system. + ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$ + ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$ + + + + Updating Software + The dnf command line tool is used to install and +update software packages. The system also provides a graphical +software update tool in the System menu, in the Administration submenu, +called Software Update. + +Fedora systems contain an installed software catalog called +the RPM database, which records metadata of installed packages. Consistently using +dnf or the graphical Software Update for all software installation +allows for insight into the current inventory of installed software on the system. + + + Install dnf-automatic Package + The dnf-automatic package can be installed with the following command: + +$ sudo dnf install dnf-automatic + SRG-OS-000191-GPOS-00080 + BP28(R8) + dnf-automatic is an alternative command line interface (CLI) +to dnf upgrade suitable for automatic, regular execution. + +if ! rpm -q --quiet "dnf-automatic" ; then + dnf install -y "dnf-automatic" +fi + + - name: Ensure dnf-automatic is installed + package: + name: dnf-automatic + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_dnf-automatic_installed + + include install_dnf-automatic + +class install_dnf-automatic { + package { 'dnf-automatic': + ensure => 'installed', + } +} + + +package --add=dnf-automatic + + +[[packages]] +name = "dnf-automatic" +version = "*" + + + + + + + + + + Ensure Fedora GPG Key Installed + To ensure the system can cryptographically verify base software +packages come from Fedora (and to connect to the Fedora Network to +receive them), the Fedora GPG key must properly be installed. +To install the Fedora GPG key, run one of the commands below, depending on your Fedora vesion: +$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-31-primary" +$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-30-primary" + 5.10.4.1 + 3.4.8 + CCI-001749 + 164.308(a)(1)(ii)(D) + 164.312(b) + 164.312(c)(1) + 164.312(c)(2) + 164.312(e)(2)(i) + CM-5(3) + SI-7 + SC-12 + SC-12(3) + CM-6(a) + PR.DS-6 + PR.DS-8 + PR.IP-1 + Req-6.2 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS06.02 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 2 + 3 + 9 + Changes to software components can have significant effects on the +overall security of the operating system. This requirement ensures +the software has not been tampered with and that it has been provided +by a trusted vendor. The Fedora GPG key is necessary to +cryptographically verify packages are from Fedora." + +dnf install -y gpg + +fedora_version=$(grep -oP '[[:digit:]]+' /etc/redhat-release) + +function get_release_fingerprint { + if [ "${fedora_version}" -eq "31" ]; then + readonly FEDORA_RELEASE_FINGERPRINT="7D22D5867F2A4236474BF7B850CB390B3C3359C4" + elif [ "${fedora_version}" -eq "30" ]; then + readonly FEDORA_RELEASE_FINGERPRINT="F1D8EC98F241AAF20DF69420EF3C111FCFC659B9" + elif [ "${fedora_version}" -eq "32" ]; then + readonly FEDORA_RELEASE_FINGERPRINT="97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0" + else + printf '%s\n' "This Fedora version '$fedora_version' is not supported anymore, please upgrade to a newer version." >&2 + return 1 + fi +} + +# Location of the key we would like to import (once it's integrity verified) +readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${fedora_version}-primary" + +RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") + +function remediate_gpgkey_installed { + # Return if there was an issue getting the release fingerprint + get_release_fingerprint || return 1 + # Verify /etc/pki/rpm-gpg directory permissions are safe + if [ "${RPM_GPG_DIR_PERMS}" -le "755" ]; then + # If they are safe, try to obtain fingerprints from the key file + # (to ensure there won't be e.g. CRC error). + readarray -t GPG_OUT < <(gpg --show-keys --with-fingerprint --with-colons "${REDHAT_RELEASE_KEY}" | grep '^fpr' | cut -d ":" -f 10) + GPG_RESULT=$? + # No CRC error, safe to proceed + if [ "${GPG_RESULT}" -eq "0" ]; then + echo "${GPG_OUT}" | grep -vE "${FEDORA_RELEASE_FINGERPRINT}" || { + # If file doesn't contain any keys with unknown fingerprint, import it + rpm --import "${REDHAT_RELEASE_KEY}" + } + fi + fi +} + +remediate_gpgkey_installed + + + + + + + + + + Ensure gpgcheck Enabled for All dnf Package Repositories + To ensure signature checking is not disabled for +any repos, remove any lines from files in /etc/yum.repos.d of the form: +gpgcheck=0 + SRG-OS-000366-GPOS-00153 + SRG-OS-000366-VMM-001430 + SRG-OS-000370-VMM-001460 + SRG-OS-000404-VMM-001650 + 5.10.4.1 + 3.4.8 + CCI-001749 + 164.308(a)(1)(ii)(D) + 164.312(b) + 164.312(c)(1) + 164.312(c)(2) + 164.312(e)(2)(i) + CM-5(3) + SI-7 + SC-12 + SC-12(3) + CM-6(a) + SA-12 + SA-12(10) + CM-11(a) + CM-11(b) + PR.DS-6 + PR.DS-8 + PR.IP-1 + FPT_TUD_EXT.1 + FPT_TUD_EXT.2 + Req-6.2 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS06.02 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 2 + 3 + 9 + BP28(R15) + Verifying the authenticity of the software prior to installation validates +the integrity of the patch or upgrade received from a vendor. This ensures +the software has not been tampered with and that it has been provided by a +trusted vendor. Self-signed certificates are disallowed by this +requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA)." + sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/* + + - name: Grep for dnf repo section names + shell: | + set -o pipefail + grep -HEr '^\[.+\]' -r /etc/yum.repos.d/ + register: repo_grep_results + ignore_errors: true + changed_when: false + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + +- name: Set gpgcheck=1 for each dnf repo + ini_file: + path: '{{ item[0] }}' + section: '{{ item[1] }}' + option: gpgcheck + value: '1' + no_extra_spaces: true + loop: '{{ repo_grep_results.stdout | regex_findall( ''(.+\.repo):\[(.+)\]\n?'' ) + }}' + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - enable_strategy + - ensure_gpgcheck_never_disabled + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + + + + + + + + + + Ensure Software Patches Installed + +NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy +dictates. + Fedora does not have a corresponding OVAL CVE Feed. Therefore, this will result in a "not checked" result during a scan. + 5.10.4.1 + CCI-000366 + CCI-001227 + SI-2(5) + SI-2(c) + CM-6(a) + ID.RA-1 + PR.IP-12 + FMT_MOF_EXT.1 + Req-6.2 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + 4.2.3 + 4.2.3.12 + 4.2.3.7 + 4.2.3.9 + APO12.01 + APO12.02 + APO12.03 + APO12.04 + BAI03.10 + DSS05.01 + DSS05.02 + A.12.6.1 + A.14.2.3 + A.16.1.3 + A.18.2.2 + A.18.2.3 + 18 + 20 + 4 + BP28(R08) + Installing software updates is a fundamental mitigation against +the exploitation of publicly-known vulnerabilities. If the most +recent security patches and updates are not installed, unauthorized +users may take advantage of weaknesses in the unpatched software. The +lack of prompt attention to patching could result in a system compromise. + - name: Security patches are up to date + package: + name: '*' + state: latest + tags: + - CJIS-5.10.4.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - PCI-DSS-Req-6.2 + - high_disruption + - high_severity + - low_complexity + - patch_strategy + - reboot_required + - security_patches_up_to_date + - skip_ansible_lint + + + + Configure dnf-automatic to Install Only Security Updates + To configure dnf-automatic to install only security updates +automatically, set upgrade_type to security under +[commands] section in /etc/dnf/automatic.conf. + FMT_SMF_EXT.1 + SI-2(5) + CM-6(a) + SI-2(c) + SRG-OS-000191-GPOS-00080 + BP28(R8) + By default, dnf-automatic installs all available updates. +Reducing the amount of updated packages only to updates that were +issued as a part of a security advisory increases the system stability. + +CONF="/etc/dnf/automatic.conf" +APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" +COMMANDS_REGEX="[[:space:]]*\[commands]" + +# Try find [commands] and upgrade_type in automatic.conf, if it exists, set +# it to security, if it isn't here, add it, if [commands] doesn't exist, +# add it there +if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then + sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" $CONF +elif grep -qs $COMMANDS_REGEX $CONF; then + sed -i "/$COMMANDS_REGEX/a upgrade_type = security" $CONF +else + mkdir -p /etc/dnf + echo -e "[commands]\nupgrade_type = security" >> $CONF +fi + + - name: Configure dnf-automatic to Install Only Security Updates + ini_file: + dest: /etc/dnf/automatic.conf + section: commands + option: upgrade_type + value: security + create: true + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - dnf-automatic_security_updates_only + - low_complexity + - low_severity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Configure dnf-automatic to Install Available Updates Automatically + To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf. + FMT_SMF_EXT.1 + SI-2(5) + CM-6(a) + SI-2(c) + SRG-OS-000191-GPOS-00080 + 0940 + 1144 + 1467 + 1472 + 1483 + 1493 + 1494 + 1495 + BP28(R8) + Installing software updates is a fundamental mitigation against +the exploitation of publicly-known vulnerabilities. If the most +recent security patches and updates are not installed, unauthorized +users may take advantage of weaknesses in the unpatched software. The +lack of prompt attention to patching could result in a system compromise. +The automated installation of updates ensures that recent security patches +are applied in a timely manner. + +CONF="/etc/dnf/automatic.conf" +APPLY_UPDATES_REGEX="[[:space:]]*\[commands]([^\n\[]*\n+)+?[[:space:]]*apply_updates" +COMMANDS_REGEX="[[:space:]]*\[commands]" + +# Try find [commands] and apply_updates in automatic.conf, if it exists, set +# to yes, if it isn't here, add it, if [commands] doesn't exist, add it there +if grep -qzosP $APPLY_UPDATES_REGEX $CONF; then + sed -i "s/apply_updates[^(\n)]*/apply_updates = yes/" $CONF +elif grep -qs $COMMANDS_REGEX $CONF; then + sed -i "/$COMMANDS_REGEX/a apply_updates = yes" $CONF +else + mkdir -p /etc/dnf + echo -e "[commands]\napply_updates = yes" >> $CONF +fi + + - name: Configure dnf-automatic to Install Available Updates Automatically + ini_file: + dest: /etc/dnf/automatic.conf + section: commands + option: apply_updates + value: 'yes' + create: true + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - dnf-automatic_apply_updates + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Enable dnf-automatic Timer + +The dnf-automatic timer can be enabled with the following command: +$ sudo systemctl enable dnf-automatic.timer + FMT_SMF_EXT.1 + SI-2(5) + CM-6(a) + SI-2(c) + SRG-OS-000191-GPOS-00080 + BP28(R8) + The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. +The tool is controlled by dnf-automatic.timer SystemD timer. + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' +"$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' + + - name: Enable timer dnf-automatic + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable timer dnf-automatic + systemd: + name: dnf-automatic.timer + enabled: 'yes' + state: started + when: + - '"dnf-automatic" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-2(5) + - NIST-800-53-SI-2(c) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - timer_dnf-automatic_enabled + + + + + + + + + + Ensure gpgcheck Enabled In Main dnf Configuration + The gpgcheck option controls whether +RPM packages' signatures are always checked prior to installation. +To configure dnf to check package signatures before installing +them, ensure the following line appears in /etc/dnf/dnf.conf in +the [main] section: +gpgcheck=1 + 5.10.4.1 + 3.4.8 + CCI-001749 + 164.308(a)(1)(ii)(D) + 164.312(b) + 164.312(c)(1) + 164.312(c)(2) + 164.312(e)(2)(i) + CM-5(3) + SI-7 + SC-12 + SC-12(3) + CM-6(a) + SA-12 + SA-12(10) + CM-11(a) + CM-11(b) + PR.DS-6 + PR.DS-8 + PR.IP-1 + FPT_TUD_EXT.1 + FPT_TUD_EXT.2 + Req-6.2 + SRG-OS-000366-GPOS-00153 + SRG-OS-000366-VMM-001430 + SRG-OS-000370-VMM-001460 + SRG-OS-000404-VMM-001650 + SR 3.1 + SR 3.3 + SR 3.4 + SR 3.8 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.4 + APO01.06 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS06.02 + A.11.2.4 + A.12.1.2 + A.12.2.1 + A.12.5.1 + A.12.6.2 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 2 + 3 + 9 + BP28(R15) + Changes to any software components can have significant effects on the +overall security of the operating system. This requirement ensures the +software has not been tampered with and that it has been provided by a +trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system +components must be signed with a certificate recognized and approved by the +organization. +Verifying the authenticity of the software prior to installation +validates the integrity of the patch or upgrade received from a vendor. +This ensures the software has not been tampered with and that it has been +provided by a trusted vendor. Self-signed certificates are disallowed by +this requirement. Certificates used to verify the software must be from an +approved Certificate Authority (CA). + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + + +replace_or_append "/etc/dnf/dnf.conf" '^gpgcheck' '1' '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Ensure GPG check is globally activated (yum) + ini_file: + dest: /etc/yum.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false + when: + - '"yum" in ansible_facts.packages' + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution + == "Scientific" or yum_config_file.stat.exists) + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Ensure GPG check is globally activated (dnf) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: true + create: false + when: + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" + tags: + - CJIS-5.10.4.1 + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - NIST-800-53-SC-12 + - NIST-800-53-SC-12(3) + - NIST-800-53-SI-7 + - PCI-DSS-Req-6.2 + - ensure_gpgcheck_globally_activated + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + Ensure gpgcheck Enabled for Local Packages + dnf should be configured to verify the signature(s) of local packages +prior to installation. To configure dnf to verify signatures of local +packages, set the localpkg_gpgcheck to 1 in /etc/dnf/dnf.conf. + 3.4.8 + CCI-001749 + 164.308(a)(1)(ii)(D) + 164.312(b) + 164.312(c)(1) + 164.312(c)(2) + 164.312(e)(2)(i) + CM-11(a) + CM-11(b) + CM-6(a) + CM-5(3) + SA-12 + SA-12(10) + PR.IP-1 + FPT_TUD_EXT.1 + FPT_TUD_EXT.2 + SRG-OS-000366-GPOS-00153 + SRG-OS-000366-VMM-001430 + SRG-OS-000370-VMM-001460 + SRG-OS-000404-VMM-001650 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + BP28(R15) + Changes to any software components can have significant effects to the overall security +of the operating system. This requirement ensures the software has not been tampered and +has been provided by a trusted vendor. + +Accordingly, patches, service packs, device drivers, or operating system components must +be signed with a certificate recognized and approved by the organization. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q yum; then + + +replace_or_append '/etc/dnf/dnf.conf' '^localpkg_gpgcheck' '1' '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Check existence of yum on Fedora + stat: + path: /etc/yum.conf + register: yum_config_file + check_mode: false + when: + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" + tags: + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Ensure GPG check Enabled for Local Packages (Yum) + ini_file: + dest: /etc/yum.conf + section: main + option: localpkg_gpgcheck + value: 1 + create: true + when: + - '"yum" in ansible_facts.packages' + - (ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or ansible_distribution + == "Scientific" or yum_config_file.stat.exists) + tags: + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + +- name: Ensure GPG check Enabled for Local Packages (DNF) + ini_file: + dest: /etc/dnf/dnf.conf + section: main + option: localpkg_gpgcheck + value: 1 + create: true + when: + - '"yum" in ansible_facts.packages' + - ansible_distribution == "Fedora" + tags: + - NIST-800-171-3.4.8 + - NIST-800-53-CM-11(a) + - NIST-800-53-CM-11(b) + - NIST-800-53-CM-5(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-SA-12 + - NIST-800-53-SA-12(10) + - ensure_gpgcheck_local_packages + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + + Account and Access Control + In traditional Unix security, if an attacker gains +shell access to a certain login account, they can perform any action +or access any file to which that account has access. Therefore, +making it more difficult for unauthorized people to gain shell +access to accounts, particularly to privileged accounts, is a +necessary part of securing a system. This section introduces +mechanisms for restricting access to accounts under +Fedora. + + Warning Banners for System Accesses + Each system should expose as little information about +itself as possible. + +System banners, which are typically displayed just before a +login prompt, give out information about the service or the host's +operating system. This might include the distribution name and the +system kernel version, and the particular version of a network +service. This information can assist intruders in gaining access to +the system as it can reveal whether the system is running +vulnerable software. Most network services can be configured to +limit what information is displayed. + +Many organizations implement security policies that require a +system banner provide notice of the system's ownership, provide +warning to unauthorized users, and remind authorized users of their +consent to monitoring. + + Login Banner Verbiage + Enter an appropriate login banner for your organization. Please note that new lines must +be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. + ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ + ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ + ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ + ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication\,[\s\n]+transmission\,[\s\n]+processing\,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems\,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations\,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity\,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes\,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information\,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user\,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use\,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ + ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + + + Verify ownership of System Login Banner + +To properly set the owner of /etc/issue, run the command: +$ sudo chown root /etc/issue + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. +Proper ownership will ensure that only root user can modify the banner. + + +chown 0 /etc/issue + + - name: Test for existence /etc/issue + stat: + path: /etc/issue + register: file_exists + tags: + - configure_strategy + - file_owner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/issue + file: + path: /etc/issue + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify permissions on Message of the Day Banner + +To properly set the permissions of /etc/motd, run the command: +$ sudo chmod 0644 /etc/motd + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. +Proper permissions will ensure that only root user can modify the banner. + + +chmod 0644 /etc/motd + + - name: Test for existence /etc/motd + stat: + path: /etc/motd + register: file_exists + tags: + - configure_strategy + - file_permissions_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0644 on /etc/motd + file: + path: /etc/motd + mode: '0644' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify permissions on System Login Banner + +To properly set the permissions of /etc/issue, run the command: +$ sudo chmod 0644 /etc/issue + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. +Proper permissions will ensure that only root user can modify the banner. + + +chmod 0644 /etc/issue + + - name: Test for existence /etc/issue + stat: + path: /etc/issue + register: file_exists + tags: + - configure_strategy + - file_permissions_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0644 on /etc/issue + file: + path: /etc/issue + mode: '0644' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Ownership of System Login Banner + +To properly set the group owner of /etc/issue, run the command: +$ sudo chgrp root /etc/issue + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. +Proper group ownership will ensure that only root user can modify the banner. + + +chgrp 0 /etc/issue + + - name: Test for existence /etc/issue + stat: + path: /etc/issue + register: file_exists + tags: + - configure_strategy + - file_groupowner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/issue + file: + path: /etc/issue + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_etc_issue + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify ownership of Message of the Day Banner + +To properly set the owner of /etc/motd, run the command: +$ sudo chown root /etc/motd + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. +Proper ownership will ensure that only root user can modify the banner. + + +chown 0 /etc/motd + + - name: Test for existence /etc/motd + stat: + path: /etc/motd + register: file_exists + tags: + - configure_strategy + - file_owner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/motd + file: + path: /etc/motd + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Ownership of Message of the Day Banner + +To properly set the group owner of /etc/motd, run the command: +$ sudo chgrp root /etc/motd + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. +Proper group ownership will ensure that only root user can modify the banner. + + +chgrp 0 /etc/motd + + - name: Test for existence /etc/motd + stat: + path: /etc/motd + register: file_exists + tags: + - configure_strategy + - file_groupowner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/motd + file: + path: /etc/motd + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_etc_motd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Modify the System Login Banner + To configure the system login banner edit /etc/issue. Replace the +default text with a message compliant with the local site policy or a legal +disclaimer. + +The DoD required text is either: + +You are accessing a U.S. Government (USG) Information System (IS) that +is provided for USG-authorized use only. By using this IS (which includes +any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS +for purposes including, but not limited to, penetration testing, COMSEC +monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, +are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access +controls) to protect USG interests -- not for your personal benefit or +privacy. +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of +privileged communications, or work product, related to personal +representation or services by attorneys, psychotherapists, or clergy, and +their assistants. Such communications and work product are private and +confidential. See User Agreement for details. + +OR: + +I've read & consent to terms in IS user agreem't. + 3.1.9 + CCI-000048 + CCI-000050 + AC-8(a) + AC-8(c) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000023-GPOS-00006 + SRG-OS-000024-GPOS-00007 + SRG-OS-000023-VMM-000060 + SRG-OS-000024-VMM-000070 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via login interfaces +with human users and are not required when such human interfaces do not +exist. + + + + + + + + + + + + + Modify the System Message of the Day Banner + To configure the system message banner edit /etc/motd. Replace the +default text with a message compliant with the local site policy or a legal +disclaimer. + +The DoD required text is either: + +You are accessing a U.S. Government (USG) Information System (IS) that +is provided for USG-authorized use only. By using this IS (which includes +any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS +for purposes including, but not limited to, penetration testing, COMSEC +monitoring, network operations and defense, personnel misconduct (PM), law +enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, +are subject to routine monitoring, interception, and search, and may be +disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access +controls) to protect USG interests -- not for your personal benefit or +privacy. +-Notwithstanding the above, using this IS does not constitute consent +to PM, LE or CI investigative searching or monitoring of the content of +privileged communications, or work product, related to personal +representation or services by attorneys, psychotherapists, or clergy, and +their assistants. Such communications and work product are private and +confidential. See User Agreement for details. + +OR: + +I've read & consent to terms in IS user agreem't. + Display of a standardized and approved use notification before granting +access to the operating system ensures privacy and security notification +verbiage used is consistent with applicable federal laws, Executive Orders, +directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via login interfaces +with human users and are not required when such human interfaces do not +exist. + + + + + + + + + + + + + Implement a GUI Warning Banner + In the default graphical environment, users logging +directly into the system are greeted with a login screen provided +by the GNOME Display Manager (GDM). The warning banner should be +displayed in this graphical environment for these users. +The following sections describe how to configure the GDM login +banner. + + + Set the GNOME3 Login Warning Banner Text + In the default graphical environment, configuring the login warning banner text +in the GNOME Display Manager's login screen can be configured on the login +screen by setting banner-message-text to 'APPROVED_BANNER' +where APPROVED_BANNER is the approved banner for your environment. + +To enable, add or edit banner-message-text to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +banner-message-text='APPROVED_BANNER' +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/banner-message-text +After the settings have been set, run dconf update. +When entering a warning banner that spans several lines, remember +to begin and end the string with ' and use \n for new lines. + 3.1.9 + CCI-000048 + AC-8(a) + AC-8(c) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000023-GPOS-00006 + SRG-OS-000024-GPOS-00007 + SRG-OS-000228-GPOS-00088 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + An appropriate warning message reinforces policy awareness during the logon +process and facilitates possible legal action against attackers. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + + +login_banner_text="" + + + +# Multiple regexes transform the banner regex into a usable banner +# 0 - Remove anchors around the banner text +login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g') +# 1 - Keep only the first banners if there are multiple +# (dod_banners contains the long and short banner) +login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\)|.*)$/\1/g') +# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ") +login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g') +# 3 - Adds newline "tokens". (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "(n)*") +login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\n)+)/(n)*/g') +# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example). +login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g') +# 5 - Removes the newline "token." (Transforms them into newline escape sequences "\n"). +# ( Needs to be done after 4, otherwise the escapce sequence will become just "n". +login_banner_text=$(echo "$login_banner_text" | sed 's/(n)\*/\\n/g') + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} + printf '%s=%s\n' "banner-message-text" "'${login_banner_text}'" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "'${login_banner_text}'")" + if grep -q "^\\s*banner-message-text\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*banner-message-text\\s*=\\s*.*/banner-message-text=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-text=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-text$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/login-screen/banner-message-text" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - dconf_gnome_login_banner_text + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy +- name: XCCDF Value login_banner_text # promote to variable + set_fact: + login_banner_text: !!str + tags: + - always + +- name: Set the GNOME3 Login Warning Banner Text + file: + path: /etc/dconf/db/{{ item }} + owner: root + group: root + mode: 493 + state: directory + with_items: + - gdm.d + - gdm.d/locks + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - dconf_gnome_login_banner_text + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Set the GNOME3 Login Warning Banner Text + file: + path: /etc/dconf/db/gdm.d/{{ item }} + owner: root + group: root + mode: 420 + state: touch + with_items: + - 00-security-settings + - locks/00-security-settings-lock + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - dconf_gnome_login_banner_text + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Set the GNOME3 Login Warning Banner Text + ini_file: + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: banner-message-text + value: '''{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*)\|.*\)$", + "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)", + "(n)*") | regex_replace("\\", "") | regex_replace("\(n\)\*", "\\n") }}''' + create: true + no_extra_spaces: true + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - dconf_gnome_login_banner_text + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of the GNOME3 Login Warning Banner Text + lineinfile: + path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock + regexp: ^/org/gnome/login-screen/banner-message-text$ + line: /org/gnome/login-screen/banner-message-text + create: true + state: present + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - dconf_gnome_login_banner_text + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - dconf_gnome_login_banner_text + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + Enable GNOME3 Login Warning Banner + In the default graphical environment, displaying a login warning banner +in the GNOME Display Manager's login screen can be enabled on the login +screen by setting banner-message-enable to true. + +To enable, add or edit banner-message-enable to +/etc/dconf/db/gdm.d/00-security-settings. For example: +[org/gnome/login-screen] +banner-message-enable=true +Once the setting has been added, add a lock to +/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. +For example: +/org/gnome/login-screen/banner-message-enable +After the settings have been set, run dconf update. +The banner text must also be set. + 3.1.9 + CCI-000048 + CCI-000050 + CCI-001384 + CCI-001385 + CCI-001386 + CCI-001387 + CCI-001388 + AC-8(a) + AC-8(b) + AC-8(c) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000023-GPOS-00006 + SRG-OS-000024-GPOS-00007 + SRG-OS-000228-GPOS-00088 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + Display of a standardized and approved use notification before granting access to the operating system +ensures privacy and security notification verbiage used is consistent with applicable federal laws, +Executive Orders, directives, policies, regulations, standards, and guidance. + +For U.S. Government systems, system use notifications are required only for access via login interfaces +with human users and are not required when such human interfaces do not exist. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q gdm; then + +# Check for setting in any of the DConf db directories +# If files contain ibus or distro, ignore them. +# The assignment assumes that individual filenames don't contain : +readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings" +DBDIR="/etc/dconf/db/gdm.d" + +mkdir -p "${DBDIR}" + +if [ "${#SETTINGSFILES[@]}" -eq 0 ] +then + [ ! -z ${DCONFFILE} ] || echo "" >> ${DCONFFILE} + printf '%s\n' "[org/gnome/login-screen]" >> ${DCONFFILE} + printf '%s=%s\n' "banner-message-enable" "true" >> ${DCONFFILE} +else + escaped_value="$(sed -e 's/\\/\\\\/g' <<< "true")" + if grep -q "^\\s*banner-message-enable\\s*=" "${SETTINGSFILES[@]}" + then + sed -i "s/\\s*banner-message-enable\\s*=\\s*.*/banner-message-enable=${escaped_value}/g" "${SETTINGSFILES[@]}" + else + sed -i "\\|\\[org/gnome/login-screen\\]|a\\banner-message-enable=${escaped_value}" "${SETTINGSFILES[@]}" + fi +fi + +dconf update +# Check for setting in any of the DConf db directories +LOCKFILES=$(grep -r "^/org/gnome/login-screen/banner-message-enable$" "/etc/dconf/db/" | grep -v 'distro\|ibus' | cut -d":" -f1) +LOCKSFOLDER="/etc/dconf/db/gdm.d/locks" + +mkdir -p "${LOCKSFOLDER}" + +if [[ -z "${LOCKFILES}" ]] +then + echo "/org/gnome/login-screen/banner-message-enable" >> "/etc/dconf/db/gdm.d/locks/00-security-settings-lock" +fi + +dconf update + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(b) + - NIST-800-53-AC-8(c) + - dconf_gnome_banner_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Enable GNOME3 Login Warning Banner + ini_file: + dest: /etc/dconf/db/gdm.d/00-security-settings + section: org/gnome/login-screen + option: banner-message-enable + value: 'true' + create: true + no_extra_spaces: true + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(b) + - NIST-800-53-AC-8(c) + - dconf_gnome_banner_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Prevent user modification of GNOME banner-message-enabled + lineinfile: + path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock + regexp: ^/org/gnome/login-screen/banner-message-enable + line: /org/gnome/login-screen/banner-message-enable + create: true + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(b) + - NIST-800-53-AC-8(c) + - dconf_gnome_banner_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + +- name: Dconf Update + command: dconf update + when: '"gdm" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.9 + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(b) + - NIST-800-53-AC-8(c) + - dconf_gnome_banner_enabled + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + + + + + + + + + + + + Protect Accounts by Configuring PAM + PAM, or Pluggable Authentication Modules, is a system +which implements modular authentication for Linux programs. PAM provides +a flexible and configurable architecture for authentication, and it should be configured +to minimize exposure to unnecessary risk. This section contains +guidance on how to accomplish that. + +PAM is implemented as a set of shared objects which are +loaded and invoked whenever an application wishes to authenticate a +user. Typically, the application must be running as root in order +to take advantage of PAM, because PAM's modules often need to be able +to access sensitive stores of account information, such as /etc/shadow. +Traditional privileged network listeners +(e.g. sshd) or SUID programs (e.g. sudo) already meet this +requirement. An SUID root application, userhelper, is provided so +that programs which are not SUID or privileged themselves can still +take advantage of PAM. + +PAM looks in the directory /etc/pam.d for +application-specific configuration information. For instance, if +the program login attempts to authenticate a user, then PAM's +libraries follow the instructions in the file /etc/pam.d/login +to determine what actions should be taken. + +One very important file in /etc/pam.d is +/etc/pam.d/system-auth. This file, which is included by +many other PAM configuration files, defines 'default' system authentication +measures. Modifying this file is a good way to make far-reaching +authentication changes, for instance when implementing a +centralized authentication service. + Be careful when making changes to PAM's configuration files. +The syntax for these files is complex, and modifications can +have unexpected consequences. The default configurations shipped +with applications should be sufficient for most users. + Running authconfig or system-config-authentication +will re-write the PAM configuration files, destroying any manually +made changes and replacing them with a series of system defaults. +One reference to the configuration file syntax can be found at + +http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html. + + Password Hashing algorithm + Specify the system default encryption algorithm for encrypting passwords. +Defines the value set as ENCRYPT_METHOD in /etc/login.defs. + SHA512 + SHA512 + SHA256 + + + remember + The last n passwords for each user are saved in +/etc/security/opasswd in order to force password change history and +keep the user from alternating between the same password too +frequently. + 0 + 10 + 24 + 2 + 4 + 5 + 5 + + + Set Up a Private Namespace in PAM Configuration + To setup a private namespace add the following line to /etc/pam.d/login: +session required pam_namespace.so + BP28(R39) + The pam_namespace PAM module sets up a private namespace for a +session with polyinstantiated directories. A polyinstantiated directory +provides a different instance of itself based on user name, or when using +SELinux, user name, security context or both. The polyinstatied directories +can be used to dedicate separate temporary directories to each account. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then + echo "session required pam_namespace.so" >> "/etc/pam.d/login" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - enable_pam_namespace + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + +- name: Make changes to /etc/pam.d/login + lineinfile: + path: /etc/pam.d/login + create: false + regexp: ^\s*session\s+required\s+pam_namespace.so\s*$ + line: session required pam_namespace.so + state: present + when: '"pam" in ansible_facts.packages' + tags: + - enable_pam_namespace + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure PAM Displays Last Logon/Access Notification + To configure the system to notify users of last logon/access +using pam_lastlog, add or correct the pam_lastlog +settings in + +/etc/pam.d/postlogin to read as follows: +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed + 5.5.2 + CCI-000366 + AC-9(1) + CM-6(a) + PR.AC-7 + Req-10.2.4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 0582 + 0584 + 05885 + 0586 + 0846 + 0957 + Users need to be aware of activity that occurs regarding +their account. Providing users with information regarding the number +of unsuccessful attempts that were made to login to their account +allows the user to determine if any unauthorized activity has occurred +and gives them an opportunity to notify administrators. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin; then + sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin +fi + +echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin +echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Set Lockouts for Failed Password Attempts + The pam_faillock PAM module provides the capability to +lock out user accounts after a number of failed login attempts. Its +documentation is available in +/usr/share/doc/pam-VERSION/txts/README.pam_faillock. + + Locking out user accounts presents the +risk of a denial-of-service attack. The lockout policy +must weigh whether the risk of such a +denial-of-service attack outweighs the benefits of thwarting +password guessing attacks. + + fail_deny + Number of failed login attempts before account lockout + 10 + 3 + 5 + 6 + 3 + + + fail_interval + Interval for counting failed login attempts before account lockout + 100000000 + 1800 + 3600 + 86400 + 900 + 900 + + + fail_unlock_time + Seconds before automatic unlocking or permanently locking after excessive failed logins + 1800 + 3600 + 600 + 604800 + 86400 + 900 + 0 + 0 + + + faildelay_delay + Delay next login attempt after a failed login + 0 + 4000000 + 4000000 + + + pwhistory_remember + Prevent password re-use using password history lookup + 0 + 5 + 6 + 7 + 8 + 9 + 5 + + + Configure the root Account for Failed Password Attempts + To configure the system to lock out the root account after a +number of incorrect login attempts using pam_faillock.so, modify +the content of both /etc/pam.d/system-auth and +/etc/pam.d/password-auth as follows: + +Modify the following line in the AUTH section to add +even_deny_root: +auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=Modify the following line in the AUTH section to add +even_deny_root: +auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval= + + CCI-002238 + CCI-000044 + CM-6(a) + AC-7(b) + IA-5(c) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password +guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +# This script fixes absence of pam_faillock.so in PAM stack or the +# absense of even_deny_root in pam_faillock.so arguments +# When inserting auth pam_faillock.so entries, +# the entry with preauth argument will be added before pam_unix.so module +# and entry with authfail argument will be added before pam_deny.so module. + +# The placement of pam_faillock.so entries will not be changed +# if they are already present + +for pamFile in "${AUTH_FILES[@]}" +do + # if PAM file is missing, system is not using PAM or broken + if [ ! -f $pamFile ]; then + continue + fi + + # is 'auth required' here? + if grep -q "^auth.*required.*pam_faillock.so.*" $pamFile; then + # has 'auth required' even_deny_root option? + if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then + # even_deny_root is not present + sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile + fi + else + # no 'auth required', add it + sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent even_deny_root" $pamFile + fi + + # is 'auth [default=die]' here? + if grep -q "^auth.*\[default=die\].*pam_faillock.so.*" $pamFile; then + # has 'auth [default=die]' even_deny_root option? + if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then + # even_deny_root is not present + sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile + fi + else + # no 'auth [default=die]', add it + sed -i --follow-symlinks "/^auth.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(c) + - accounts_passwords_pam_faillock_deny_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add auth pam_faillock preauth even_deny_root before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent even_deny_root + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(c) + - accounts_passwords_pam_faillock_deny_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add even_deny_root argument to auth pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent even_deny_root + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(c) + - accounts_passwords_pam_faillock_deny_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add auth pam_faillock authfail even_deny_root after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail even_deny_root + state: after + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(c) + - accounts_passwords_pam_faillock_deny_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add even_deny_root argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail even_deny_root + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(c) + - accounts_passwords_pam_faillock_deny_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(c) + - accounts_passwords_pam_faillock_deny_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Enforce pam_faillock for Local Accounts Only + The pam_faillock module's local_users_only parameter controls requirements for +enforcing failed lockout attempts only for local user accounts and ignoring +centralized user account management failed attempt configurations. Enable the local_users_only +setting in /etc/security/faillock.conf to require failed password attempts +for only local user accounts. + Using this rule bypasses pam_faillock's functionality and should be used in cases +where centralized management such as LDAP or Active Directory is in use. + CCI-000015 + AC-2(1) + SRG-OS-000001-GPOS-00001 + The operating system must provide automated mechanisms for supporting account management +functions. Enterprise environments make application account management challenging and +complex. A manual process for account management functions adds the risk of a potential +oversight or other error. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/faillock.conf" ] ; then + LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/faillock.conf" +else + touch "/etc/security/faillock.conf" +fi +cp "/etc/security/faillock.conf" "/etc/security/faillock.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_users_only" >> "/etc/security/faillock.conf" +# Clean up after ourselves. +rm "/etc/security/faillock.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AC-2(1) + - accounts_passwords_pam_faillock_enforce_local + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Enforce pam_faillock for Local Accounts Only + lineinfile: + path: /etc/security/faillock.conf + create: true + line: local_users_only + state: present + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-2(1) + - accounts_passwords_pam_faillock_enforce_local + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Set Interval For Counting Failed Password Attempts + Utilizing pam_faillock.so, the fail_interval directive +configures the system to lock out an account after a number of incorrect +login attempts within a specified time period. Modify the content of both +/etc/pam.d/system-auth and /etc/pam.d/password-auth +as follows: + +Add the following line immediately before the + pam_unix.so statement in the AUTH section: +auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= +Add the following line immediately after the + pam_unix.so statement in the AUTH section: +auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= + +Add the following line immediately before the + pam_unix.so statement in the ACCOUNT section: +account required pam_faillock.so + + CCI-000044 + CCI-002236 + CCI-002237 + CCI-002238 + CM-6(a) + AC-7(a) + PR.AC-7 + FIA_AFL.1 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + SRG-OS-000021-VMM-000050 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + By limiting the number of failed logon attempts the risk of unauthorized system +access via user password guessing, otherwise known as brute-forcing, is reduced. +Limits are imposed by locking the account. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +# include our remediation functions library + +var_accounts_passwords_pam_faillock_fail_interval="" + + + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +for pam_file in "${AUTH_FILES[@]}" +do + # is auth required pam_faillock.so preauth present? + if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then + # is the option set? + if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then + # just change the value of option to a correct value + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + # the option is not set. + else + # append the option + sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + fi + # auth required pam_faillock.so preauth is not present, insert the whole line + else + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file" + fi + # is auth default pam_faillock.so authfail present? + if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then + # is the option set? + if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"fail_interval"'=([0-9]*).*$' "$pam_file" ; then + # just change the value of option to a correct value + sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"fail_interval"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + # the option is not set. + else + # append the option + sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file" + fi + # auth default pam_faillock.so authfail is not present, insert the whole line + else + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"fail_interval"'='"$var_accounts_passwords_pam_faillock_fail_interval" "$pam_file" + fi + if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then + sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable + set_fact: + var_accounts_passwords_pam_faillock_fail_interval: !!str + tags: + - always + +- name: Add auth pam_faillock preauth fail_interval before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval + }} + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add fail_interval argument to auth pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval + }} + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add auth pam_faillock aufthfail fail_interval after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval + }} + state: after + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add fail_interval argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval + }} + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - accounts_passwords_pam_faillock_interval + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Limit Password Reuse + Do not allow users to reuse recent passwords. This can be +accomplished by using the remember option for the pam_unix +or pam_pwhistory PAM modules. + +In the file /etc/pam.d/system-auth, append remember= +to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below: +for the pam_unix.so case: +password sufficient pam_unix.so ...existing_options... remember= +for the pam_pwhistory.so case: +password requisite pam_pwhistory.so ...existing_options... remember= + +The DoD STIG requirement is 5 passwords. + 5.6.2.1.1 + 3.5.8 + CCI-000200 + IA-5(f) + IA-5(1)(e) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.5 + SRG-OS-000077-GPOS-00045 + SRG-OS-000077-VMM-000440 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + BP28(R18) + Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_unix_remember="" + + + +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +for pamFile in "${AUTH_FILES[@]}" +do + if grep -q "remember=" $pamFile; then + sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile + else + sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed +- name: XCCDF Value var_password_pam_unix_remember # promote to variable + set_fact: + var_password_pam_unix_remember: !!str + tags: + - always + +- name: Do not allow users to reuse recent passwords - system-auth (change) + replace: + dest: /etc/pam.d/system-auth + regexp: ^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$ + replace: \g<1>{{ var_password_pam_unix_remember }}\g<3> + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: Do not allow users to reuse recent passwords - system-auth (add) + replace: + dest: /etc/pam.d/system-auth + regexp: ^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$ + replace: \g<0> remember={{ var_password_pam_unix_remember }} + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-IA-5(1)(e) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.5 + - accounts_password_pam_unix_remember + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Set Lockout Time for Failed Password Attempts + To configure the system to lock out accounts after a number of incorrect login +attempts and require an administrator to unlock the account using pam_faillock.so, +modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: + + add the following line immediately before the pam_unix.so statement in the AUTH section: +auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: +auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: +account required pam_faillock.so +If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. + 5.5.3 + 3.1.8 + CCI-000044 + CCI-002236 + CCI-002237 + CCI-002238 + CM-6(a) + AC-7(b) + PR.AC-7 + FIA_AFL.1 + Req-8.1.7 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + SRG-OS-000329-VMM-001180 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + Locking out user accounts after a number of incorrect attempts +prevents direct password guessing attacks. Ensuring that an administrator is +involved in unlocking locked accounts draws appropriate attention to such +situations. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_accounts_passwords_pam_faillock_unlock_time="" + + + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +for pam_file in "${AUTH_FILES[@]}" +do + # is auth required pam_faillock.so preauth present? + if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then + # is the option set? + if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then + # just change the value of option to a correct value + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + # the option is not set. + else + # append the option + sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + fi + # auth required pam_faillock.so preauth is not present, insert the whole line + else + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file" + fi + # is auth default pam_faillock.so authfail present? + if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then + # is the option set? + if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"unlock_time"'=([0-9]*).*$' "$pam_file" ; then + # just change the value of option to a correct value + sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"unlock_time"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + # the option is not set. + else + # append the option + sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file" + fi + # auth default pam_faillock.so authfail is not present, insert the whole line + else + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"unlock_time"'='"$var_accounts_passwords_pam_faillock_unlock_time" "$pam_file" + fi + if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then + sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable + set_fact: + var_accounts_passwords_pam_faillock_unlock_time: !!str + tags: + - always + +- name: Add auth pam_faillock preauth unlock_time before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add unlock_time argument to pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add auth pam_faillock authfail unlock_interval after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} + state: after + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add unlock_time argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time + }} + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.7 + - accounts_passwords_pam_faillock_unlock_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set Deny For Failed Password Attempts + To configure the system to lock out accounts after a number of incorrect login +attempts using pam_faillock.so, modify the content of both +/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows: + + add the following line immediately before the pam_unix.so statement in the AUTH section: +auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval= add the following line immediately after the pam_unix.so statement in the AUTH section: +auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval= add the following line immediately before the pam_unix.so statement in the ACCOUNT section: +account required pam_faillock.so + 5.5.3 + 3.1.8 + CCI-000044 + CCI-002236 + CCI-002237 + CCI-002238 + CM-6(a) + AC-7(a) + PR.AC-7 + FIA_AFL.1 + Req-8.1.6 + SRG-OS-000329-GPOS-00128 + SRG-OS-000021-GPOS-00005 + SRG-OS-000021-VMM-000050 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + Locking out user accounts after a number of incorrect attempts +prevents direct password guessing attacks. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_accounts_passwords_pam_faillock_deny="" + + + +AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth") + +for pam_file in "${AUTH_FILES[@]}" +do + # is auth required pam_faillock.so preauth present? + if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$' "$pam_file" ; then + # is the option set? + if grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*'"deny"'=([0-9]*).*$' "$pam_file" ; then + # just change the value of option to a correct value + sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + # the option is not set. + else + # append the option + sed -i --follow-symlinks '/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + fi + # auth required pam_faillock.so preauth is not present, insert the whole line + else + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file" + fi + # is auth default pam_faillock.so authfail present? + if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$' "$pam_file" ; then + # is the option set? + if grep -qE '^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*'"deny"'=([0-9]*).*$' "$pam_file" ; then + # just change the value of option to a correct value + sed -i --follow-symlinks 's/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\('"deny"' *= *\).*/\1\2'"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + # the option is not set. + else + # append the option + sed -i --follow-symlinks '/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ '"deny"'='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file" + fi + # auth default pam_faillock.so authfail is not present, insert the whole line + else + sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail '"deny"'='"$var_accounts_passwords_pam_faillock_deny" "$pam_file" + fi + if ! grep -qE '^\s*account\s+required\s+pam_faillock\.so.*$' "$pam_file" ; then + sed -E -i --follow-symlinks '/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so' "$pam_file" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable + set_fact: + var_accounts_passwords_pam_faillock_deny: !!str + tags: + - always + +- name: Add auth pam_faillock preauth deny before pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: required + new_module_path: pam_faillock.so + module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny + }} + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add deny argument to auth pam_faillock preauth + pamd: + name: '{{ item }}' + type: auth + control: required + module_path: pam_faillock.so + module_arguments: preauth silent deny={{ var_accounts_passwords_pam_faillock_deny + }} + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add auth pam_faillock authfail deny after pam_unix.so + pamd: + name: '{{ item }}' + type: auth + control: sufficient + module_path: pam_unix.so + new_type: auth + new_control: '[default=die]' + new_module_path: pam_faillock.so + module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }} + state: after + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add deny argument to auth pam_faillock authfail + pamd: + name: '{{ item }}' + type: auth + new_type: auth + control: '[default=die]' + module_path: pam_faillock.so + module_arguments: authfail deny={{ var_accounts_passwords_pam_faillock_deny }} + state: args_present + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add account pam_faillock before pam_unix.so + pamd: + name: '{{ item }}' + type: account + control: required + module_path: pam_unix.so + new_type: account + new_control: required + new_module_path: pam_faillock.so + state: before + loop: + - system-auth + - password-auth + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-171-3.1.8 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.1.6 + - accounts_passwords_pam_faillock_deny + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + + Set Password Quality Requirements + The default pam_pwquality PAM module provides strength +checking for passwords. It performs a number of checks, such as +making sure passwords are not similar to dictionary words, are of +at least a certain length, are not the previous password reversed, +and are not simply a change of case from the previous password. It +can also require passwords to be in certain character classes. The +pam_pwquality module is the preferred way of configuring +password requirements. + +The man pages pam_pwquality(8) +provide information on the capabilities and configuration of +each. + + Set Password Quality Requirements with pam_pwquality + The pam_pwquality PAM module can be configured to meet +requirements for a variety of policies. + +For example, to configure pam_pwquality to require at least one uppercase +character, lowercase character, digit, and other (special) +character, make sure that pam_pwquality exists in /etc/pam.d/system-auth: +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. +Next, modify the settings in /etc/security/pwquality.conf to match the following: +difok = 4 +minlen = 14 +dcredit = -1 +ucredit = -1 +lcredit = -1 +ocredit = -1 +maxrepeat = 3 +The arguments can be modified to ensure compliance with +your organization's security policy. Discussion of each parameter follows. + + dcredit + Minimum number of digits in password + 0 + -1 + -2 + -1 + + + difok + Minimum number of characters not present in old +password + 15 + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 8 + + + lcredit + Minimum number of lower case in password + 0 + -1 + -2 + -1 + + + maxclassrepeat + Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class + 1 + 2 + 3 + 4 + 4 + + + maxrepeat + Maximum Number of Consecutive Repeating Characters in a Password + 1 + 2 + 3 + 3 + + + minclass + Minimum number of categories of characters that must exist in a password + 1 + 2 + 3 + 4 + 3 + + + minlen + Minimum number of characters in password + 10 + 12 + 14 + 15 + 18 + 20 + 6 + 7 + 8 + 15 + + + ocredit + Minimum number of other (special characters) in +password + 0 + -1 + -2 + -1 + + + retry + Number of retry attempts before erroring out + 1 + 2 + 3 + 4 + 5 + 3 + + + ucredit + Minimum number of upper case in password + 0 + -1 + -2 + -1 + + + Ensure PAM Enforces Password Requirements - Minimum Different Characters + The pam_pwquality module's difok parameter sets the number of characters +in a password that must not be present in and old password during a password change. + +Modify the difok setting in /etc/security/pwquality.conf +to equal to require differing characters +when changing passwords. + 5.6.2.1.1 + CCI-000195 + IA-5(c) + IA-5(1)(b) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000072-GPOS-00040 + SRG-OS-000072-VMM-000390 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Use of a complex password helps to increase the time and resources +required to compromise the password. Password complexity, or strength, +is a measure of the effectiveness of a password in resisting attempts +at guessing and brute–force attacks. + +Password complexity is one factor of several that determines how long +it takes to crack a password. The more complex the password, the +greater the number of possible combinations that need to be tested +before the password is compromised. + +Requiring a minimum number of different characters during password changes ensures that +newly changed passwords should not resemble previously compromised ones. +Note that passwords which are changed on compromised systems will still be compromised, however. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_difok="" + +replace_or_append '/etc/security/pwquality.conf' '^difok' $var_password_pam_difok '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(b) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_difok + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_difok # promote to variable + set_fact: + var_password_pam_difok: !!str + tags: + - always + +- name: Ensure PAM variable difok is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*difok + line: difok = {{ var_password_pam_difok }} + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(b) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_difok + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + To configure the number of retry prompts that are permitted per-session: +Edit the pam_pwquality.so statement in /etc/pam.d/system-auth to +show retry=, or a lower value if +site policy is more restrictive. +The DoD requirement is a maximum of 3 prompts per session. + 5.5.3 + CCI-000192 + CCI-000366 + CM-6(a) + AC-7(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + PR.IP-1 + FMT_MOF_EXT.1 + SRG-OS-000480-GPOS-00225 + SRG-OS-000069-GPOS-00037 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 11 + 12 + 15 + 16 + 3 + 5 + 9 + Setting the password retry prompts that are permitted on a per-session basis to a low value +requires some software, such as SSH, to re-connect. This can slow down and +draw additional attention to some types of password-guessing attacks. Note that this +is different from account lockout, which is provided by the pam_faillock module. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_retry="" + + + +if grep -q "retry=" /etc/pam.d/system-auth ; then + sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth +else + sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.3 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - accounts_password_pam_retry + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed +- name: XCCDF Value var_password_pam_retry # promote to variable + set_fact: + var_password_pam_retry: !!str + tags: + - always + +- name: Set Password Retry Prompts Permitted Per-Session - system-auth (change) + replace: + dest: /etc/pam.d/system-auth + regexp: (^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$) + replace: \g<1>{{ var_password_pam_retry }}\g<3> + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - accounts_password_pam_retry + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + +- name: Set Password Retry Prompts Permitted Per-Session - system-auth (add) + replace: + dest: /etc/pam.d/system-auth + regexp: ^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$ + replace: \g<0> retry={{ var_password_pam_retry }} + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.3 + - NIST-800-53-AC-7(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - accounts_password_pam_retry + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Length + The pam_pwquality module's minlen parameter controls requirements for +minimum characters required in a password. Add minlen= +after pam_pwquality to set minimum password length requirements. + 5.6.2.1.1 + CCI-000205 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.2.3 + SRG-OS-000078-GPOS-00046 + SRG-OS-000072-VMM-000390 + SRG-OS-000078-VMM-000450 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + The shorter the password, the lower the number of possible combinations +that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. +Password length is one factor of several that helps to determine strength +and how long it takes to crack a password. Use of more characters in a password +helps to exponentially increase the time and/or resources required to +compromose the password. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_minlen="" + +replace_or_append '/etc/security/pwquality.conf' '^minlen' $var_password_pam_minlen '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_minlen # promote to variable + set_fact: + var_password_pam_minlen: !!str + tags: + - always + +- name: Ensure PAM variable minlen is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minlen + line: minlen = {{ var_password_pam_minlen }} + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1.1 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_minlen + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set Password Maximum Consecutive Repeating Characters + The pam_pwquality module's maxrepeat parameter controls requirements for +consecutive repeating characters. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters. Modify the maxrepeat setting +in /etc/security/pwquality.conf to equal to prevent a +run of ( + 1) or more identical characters. + CCI-000195 + IA-5(c) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000072-GPOS-00040 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Use of a complex password helps to increase the time and resources required to compromise the password. +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at +guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more +complex the password, the greater the number of possible combinations that need to be tested before the +password is compromised. + +Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_maxrepeat="" + +replace_or_append '/etc/security/pwquality.conf' '^maxrepeat' $var_password_pam_maxrepeat '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxrepeat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_maxrepeat # promote to variable + set_fact: + var_password_pam_maxrepeat: !!str + tags: + - always + +- name: Ensure PAM variable maxrepeat is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*maxrepeat + line: maxrepeat = {{ var_password_pam_maxrepeat }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxrepeat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + The pam_pwquality module's ucredit= parameter controls requirements for +usage of uppercase letters in a password. When set to a negative number, any password will be required to +contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each uppercase character. Modify the ucredit setting in +/etc/security/pwquality.conf to require the use of an uppercase character in passwords. + CCI-000192 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.2.3 + SRG-OS-000069-GPOS-00037 + SRG-OS-000069-VMM-000360 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + Use of a complex password helps to increase the time and resources reuiqred to compromise the password. +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts +at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more +complex the password, the greater the number of possible combinations that need to be tested before +the password is compromised. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_ucredit="" + +replace_or_append '/etc/security/pwquality.conf' '^ucredit' $var_password_pam_ucredit '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_ucredit # promote to variable + set_fact: + var_password_pam_ucredit: !!str + tags: + - always + +- name: Ensure PAM variable ucredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ucredit + line: ucredit = {{ var_password_pam_ucredit }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_ucredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Different Categories + The pam_pwquality module's minclass parameter controls +requirements for usage of different character classes, or types, of character +that must exist in a password before it is considered valid. For example, +setting this value to three (3) requires that any password must have characters +from at least three different categories in order to be approved. The default +value is zero (0), meaning there are no required classes. There are four +categories available: + +* Upper-case characters +* Lower-case characters +* Digits +* Special characters (for example, punctuation) + +Modify the minclass setting in /etc/security/pwquality.conf entry +to require +differing categories of characters when changing passwords. + CCI-000195 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000072-GPOS-00040 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + Use of a complex password helps to increase the time and resources required to compromise the password. +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts +at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The +more complex the password, the greater the number of possible combinations that need to be tested before +the password is compromised. + +Requiring a minimum number of character categories makes password guessing attacks more difficult +by ensuring a larger search space. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_minclass="" + +replace_or_append '/etc/security/pwquality.conf' '^minclass' $var_password_pam_minclass '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_minclass + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_minclass # promote to variable + set_fact: + var_password_pam_minclass: !!str + tags: + - always + +- name: Ensure PAM variable minclass is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*minclass + line: minclass = {{ var_password_pam_minclass }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_minclass + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Digit Characters + The pam_pwquality module's dcredit parameter controls requirements for +usage of digits in a password. When set to a negative number, any password will be required to +contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each digit. Modify the dcredit setting in +/etc/security/pwquality.conf to require the use of a digit in passwords. + CCI-000194 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.2.3 + SRG-OS-000071-GPOS-00039 + SRG-OS-000071-VMM-000380 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + Use of a complex password helps to increase the time and resources required +to compromise the password. Password complexity, or strength, is a measure of +the effectiveness of a password in resisting attempts at guessing and brute-force +attacks. + +Password complexity is one factor of several that determines how long it takes +to crack a password. The more complex the password, the greater the number of +possible combinations that need to be tested before the password is compromised. +Requiring digits makes password guessing attacks more difficult by ensuring a larger +search space. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_dcredit="" + +replace_or_append '/etc/security/pwquality.conf' '^dcredit' $var_password_pam_dcredit '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_dcredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_dcredit # promote to variable + set_fact: + var_password_pam_dcredit: !!str + tags: + - always + +- name: Ensure PAM variable dcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*dcredit + line: dcredit = {{ var_password_pam_dcredit }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_dcredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + The pam_pwquality module's maxclassrepeat parameter controls requirements for +consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords +which contain more than that number of consecutive characters from the same character class. Modify the +maxclassrepeat setting in /etc/security/pwquality.conf to equal +to prevent a run of ( + 1) or more identical characters. + CCI-000195 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000072-GPOS-00040 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Use of a complex password helps to increase the time and resources required to comrpomise the password. +Password complexity, or strength, is a measure of the effectiveness of a password in resisting +attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The +more complex a password, the greater the number of possible combinations that need to be tested before the +password is compromised. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_maxclassrepeat="" + +replace_or_append '/etc/security/pwquality.conf' '^maxclassrepeat' $var_password_pam_maxclassrepeat '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxclassrepeat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_maxclassrepeat # promote to variable + set_fact: + var_password_pam_maxclassrepeat: !!str + tags: + - always + +- name: Ensure PAM variable maxclassrepeat is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*maxclassrepeat + line: maxclassrepeat = {{ var_password_pam_maxclassrepeat }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_maxclassrepeat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Special Characters + The pam_pwquality module's ocredit= parameter controls requirements for +usage of special (or "other") characters in a password. When set to a negative number, +any password will be required to contain that many special characters. +When set to a positive number, pam_pwquality will grant +1 +additional length credit for each special character. Modify the ocredit setting +in /etc/security/pwquality.conf to equal +to require use of a special character in passwords. + CCI-001619 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000266-GPOS-00101 + SRG-OS-000266-VMM-000940 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + Use of a complex password helps to increase the time and resources required +to compromise the password. Password complexity, or strength, is a measure of +the effectiveness of a password in resisting attempts at guessing and brute-force +attacks. + +Password complexity is one factor of several that determines how long it takes +to crack a password. The more complex the password, the greater the number of +possble combinations that need to be tested before the password is compromised. +Requiring a minimum number of special characters makes password guessing attacks +more difficult by ensuring a larger search space. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_ocredit="" + +replace_or_append '/etc/security/pwquality.conf' '^ocredit' $var_password_pam_ocredit '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_ocredit # promote to variable + set_fact: + var_password_pam_ocredit: !!str + tags: + - always + +- name: Ensure PAM variable ocredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*ocredit + line: ocredit = {{ var_password_pam_ocredit }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_ocredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure PAM Enforces Password Requirements - Enforce for root User + The pam_pwquality module's enforce_for_root parameter controls requirements for +enforcing password complexity for the root user. Enable the enforce_for_root +setting in /etc/security/pwquality.conf to require the root user +to use complex passwords. + CCI-000194 + CCI-000193 + CCI-001619 + CCI-000205 + CCI-000195 + CCI-000192 + CCI-000366 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + SRG-OS-000072-GPOS-00040 + SRG-OS-000071-GPOS-00039 + SRG-OS-000070-GPOS-00038 + SRG-OS-000266-GPOS-00101 + SRG-OS-000078-GPOS-00046 + SRG-OS-000480-GPOS-00225 + SRG-OS-000069-GPOS-00037 + Use of a complex password helps to increase the time and resources required to compromise +the password. Password complexity, or strength, is a measure of the effectiveness of a +password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a +password. The more complex the password, the greater the number of possible combinations +that need to be tested before the password is compromised. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/pwquality.conf" ] ; then + LC_ALL=C sed -i "/^\s*enforce_for_root/Id" "/etc/security/pwquality.conf" +else + touch "/etc/security/pwquality.conf" +fi +cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" +# Insert at the end of the file +printf '%s\n' "enforce_for_root" >> "/etc/security/pwquality.conf" +# Clean up after ourselves. +rm "/etc/security/pwquality.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_enforce_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure PAM Enforces Password Requirements - Enforce for root User + lineinfile: + path: /etc/security/pwquality.conf + create: true + line: enforce_for_root + state: present + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - accounts_password_pam_enforce_root + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + The pam_pwquality module's local_users_only parameter controls requirements for +enforcing password complexity by pam_pwquality only for local user accounts and ignoring +centralized user account management password complexity configurations. Enable the local_users_only +setting in /etc/security/pwquality.conf to require password complexity enforcement +for only local user accounts. + Using this rule bypasses pam_faillock's functionality and should be used in cases +where centralized management such as LDAP or Active Directory is in use. + CCI-000015 + AC-2(1) + SRG-OS-000001-GPOS-00001 + The operating system must provide automated mechanisms for supporting account management +functions. Enterprise environments make application account management challenging and +complex. A manual process for account management functions adds the risk of a potential +oversight or other error. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +if [ -e "/etc/security/pwquality.conf" ] ; then + LC_ALL=C sed -i "/^\s*local_users_only/Id" "/etc/security/pwquality.conf" +else + touch "/etc/security/pwquality.conf" +fi +cp "/etc/security/pwquality.conf" "/etc/security/pwquality.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_users_only" >> "/etc/security/pwquality.conf" +# Clean up after ourselves. +rm "/etc/security/pwquality.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AC-2(1) + - accounts_password_pam_enforce_local + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + lineinfile: + path: /etc/security/pwquality.conf + create: true + line: local_users_only + state: present + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-AC-2(1) + - accounts_password_pam_enforce_local + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + The pam_pwquality module's lcredit parameter controls requirements for +usage of lowercase letters in a password. When set to a negative number, any password will be required to +contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional +length credit for each lowercase character. Modify the lcredit setting in +/etc/security/pwquality.conf to require the use of a lowercase character in passwords. + CCI-000193 + IA-5(c) + IA-5(1)(a) + CM-6(a) + IA-5(4) + PR.AC-1 + PR.AC-6 + PR.AC-7 + FMT_MOF_EXT.1 + Req-8.2.3 + SRG-OS-000070-GPOS-00038 + SRG-OS-000070-VMM-000370 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + Use of a complex password helps to increase the time and resources required +to compromise the password. Password complexity, or strength, is a measure of +the effectiveness of a password in resisting attempts at guessing and brute-force +attacks. + +Password complexity is one factor of several that determines how long it takes +to crack a password. The more complex the password, the greater the number of +possble combinations that need to be tested before the password is compromised. +Requiring a minimum number of lowercase characters makes password guessing attacks +more difficult by ensuring a larger search space. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_lcredit="" + +replace_or_append '/etc/security/pwquality.conf' '^lcredit' $var_password_pam_lcredit '' '%s = %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_password_pam_lcredit # promote to variable + set_fact: + var_password_pam_lcredit: !!str + tags: + - always + +- name: Ensure PAM variable lcredit is set accordingly + lineinfile: + create: true + dest: /etc/security/pwquality.conf + regexp: ^#?\s*lcredit + line: lcredit = {{ var_password_pam_lcredit }} + when: '"pam" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(4) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - accounts_password_pam_lcredit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + + Set Password Quality Requirements, if using +pam_cracklib + The pam_cracklib PAM module can be configured to meet +requirements for a variety of policies. + +For example, to configure pam_cracklib to require at least one uppercase +character, lowercase character, digit, and other (special) +character, locate the following line in /etc/pam.d/system-auth: +password requisite pam_cracklib.so try_first_pass retry=3 +and then alter it to read: +password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 +If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. +The arguments can be modified to ensure compliance with +your organization's security policy. Discussion of each parameter follows. + Note that the password quality requirements are not enforced for the +root account for some reason. + + + + Set Password Hashing Algorithm + The system's default algorithm for storing password hashes in +/etc/shadow is SHA-512. This can be configured in several +locations. + + Set Password Hashing Algorithm in /etc/login.defs + In /etc/login.defs, add or correct the following line to ensure +the system will use SHA-512 as the hashing algorithm: +ENCRYPT_METHOD SHA512 + 5.6.2.2 + 3.13.11 + CCI-000196 + IA-5(c) + IA-5(1)(c) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.1 + SRG-OS-000073-GPOS-00041 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + BP28(R32) + 0418 + 1055 + 1402 + Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. +If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords +that are encrypted with a weak algorithm are no more protected than if they are kept in plain text. + +Using a stronger hashing algorithm makes password cracking attacks more difficult. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + + +var_password_hashing_algorithm="" + + + +if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then + sed -i "s/^ENCRYPT_METHOD .*/ENCRYPT_METHOD $var_password_hashing_algorithm/g" /etc/login.defs +else + echo "" >> /etc/login.defs + echo "ENCRYPT_METHOD $var_password_hashing_algorithm" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.2 + - NIST-800-171-3.13.11 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - set_password_hashing_algorithm_logindefs +- name: XCCDF Value var_password_hashing_algorithm # promote to variable + set_fact: + var_password_hashing_algorithm: !!str + tags: + - always + +- name: Set Password Hashing Algorithm in /etc/login.defs + lineinfile: + dest: /etc/login.defs + regexp: ^#?ENCRYPT_METHOD + line: ENCRYPT_METHOD {{ var_password_hashing_algorithm }} + state: present + create: true + when: '"login" in ansible_facts.packages' + tags: + - CJIS-5.6.2.2 + - NIST-800-171-3.13.11 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - set_password_hashing_algorithm_logindefs + + + + + + + + + + + Set PAM's Password Hashing Algorithm + The PAM system service can be configured to only store encrypted +representations of passwords. In + +/etc/pam.d/system-auth, + +the +password section of the file controls which PAM modules execute +during a password change. Set the pam_unix.so module in the +password section to include the argument sha512, as shown +below: + + +password sufficient pam_unix.so sha512 other arguments... + + +This will help ensure when local users change their passwords, hashes for +the new passwords will be generated using the SHA-512 algorithm. This is +the default. + 5.6.2.2 + 3.13.11 + CCI-000196 + IA-5(c) + IA-5(1)(c) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.1 + SRG-OS-000073-GPOS-00041 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0418 + 1055 + 1402 + BP28(R32) + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can +be plainly read (i.e., clear text) and easily compromised. Passwords that +are encrypted with a weak algorithm are no more protected than if they are +kepy in plain text. + +This setting ensures user and group account administration utilities are +configured to store only encrypted representations of passwords. +Additionally, the crypt_style configuration option ensures the use +of a strong hashing algorithm that makes password cracking attacks more +difficult. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + +AUTH_FILES[0]="/etc/pam.d/system-auth" +AUTH_FILES[1]="/etc/pam.d/password-auth" + +for pamFile in "${AUTH_FILES[@]}" +do + if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then + sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Set Password Hashing Algorithm in /etc/libuser.conf + In /etc/libuser.conf, add or correct the following line in its +[defaults] section to ensure the system will use the SHA-512 +algorithm for password hashing: +crypt_style = sha512 + 5.6.2.2 + 3.13.11 + CCI-000196 + IA-5(c) + IA-5(1)(c) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.1 + SRG-OS-000073-GPOS-00041 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0418 + 1055 + 1402 + Passwords need to be protected at all times, and encryption is the standard +method for protecting passwords. If passwords are not encrypted, they can +be plainly read (i.e., clear text) and easily compromised. Passwords that +are encrypted with a weak algorithm are no more protected than if they are +kepy in plain text. + +This setting ensures user and group account administration utilities are +configured to store only encrypted representations of passwords. +Additionally, the crypt_style configuration option ensures the use +of a strong hashing algorithm that makes password cracking attacks more +difficult. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q libuser; then + +LIBUSER_CONF="/etc/libuser.conf" +CRYPT_STYLE_REGEX='[[:space:]]*\[defaults](.*(\n)+)+?[[:space:]]*crypt_style[[:space:]]*' + +# Try find crypt_style in [defaults] section. If it is here, then change algorithm to sha512. +# If it isn't here, then add it to [defaults] section. +if grep -qzosP $CRYPT_STYLE_REGEX $LIBUSER_CONF ; then + sed -i "s/\(crypt_style[[:space:]]*=[[:space:]]*\).*/\1sha512/g" $LIBUSER_CONF +elif grep -qs "\[defaults]" $LIBUSER_CONF ; then + sed -i "/[[:space:]]*\[defaults]/a crypt_style = sha512" $LIBUSER_CONF +else + echo -e "[defaults]\ncrypt_style = sha512" >> $LIBUSER_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.2 + - NIST-800-171-3.13.11 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - set_password_hashing_algorithm_libuserconf + +- name: Set Password Hashing Algorithm in /etc/libuser.conf + lineinfile: + dest: /etc/libuser.conf + insertafter: ^\s*\[defaults] + regexp: ^#?crypt_style + line: crypt_style = sha512 + state: present + create: true + when: '"libuser" in ansible_facts.packages' + tags: + - CJIS-5.6.2.2 + - NIST-800-171-3.13.11 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.1 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - set_password_hashing_algorithm_libuserconf + + + + + + + + + + + + Protect Physical Console Access + It is impossible to fully protect a system from an +attacker with physical access, so securing the space in which the +system is located should be considered a necessary step. However, +there are some steps which, if taken, make it more difficult for an +attacker to quickly or undetectably modify a system from its +console. + + Disable debug-shell SystemD Service + SystemD's debug-shell service is intended to +diagnose SystemD related boot issues with various systemctl +commands. Once enabled and following a system reboot, the root shell +will be available on tty9 which is access by pressing +CTRL-ALT-F9. The debug-shell service should only be used +for SystemD related issues and should otherwise be disabled. + +By default, the debug-shell SystemD service is already disabled. + +The debug-shell service can be disabled with the following command: +$ sudo systemctl mask --now debug-shell.service + 3.4.5 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + FIA_UAU.1 + SRG-OS-000324-GPOS-00125 + SRG-OS-000480-GPOS-00227 + CCI-000366 + This prevents attackers with physical access from trivially bypassing security +on the machine through valid troubleshooting configurations and gaining root +access when the system is rebooted. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'debug-shell.service' +"$SYSTEMCTL_EXEC" disable 'debug-shell.service' +"$SYSTEMCTL_EXEC" mask 'debug-shell.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^debug-shell.socket'; then + "$SYSTEMCTL_EXEC" stop 'debug-shell.socket' + "$SYSTEMCTL_EXEC" mask 'debug-shell.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'debug-shell.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service debug-shell + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service debug-shell + systemd: + name: debug-shell.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"debug-shell.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_debug-shell_disabled + +- name: Unit Socket Exists - debug-shell.socket + command: systemctl list-unit-files debug-shell.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_debug-shell_disabled + +- name: Disable socket debug-shell + systemd: + name: debug-shell.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"debug-shell.socket" in socket_file_exists.stdout_lines[1]' + tags: + - NIST-800-171-3.4.5 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_debug-shell_disabled + + include disable_debug-shell + +class disable_debug-shell { + service {'debug-shell': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: false + name: debug-shell.service + + + + + + + + + + Require Authentication for Emergency Systemd Target + Emergency mode is intended as a system recovery +method, providing a single user root access to the system +during a failed boot sequence. + +By default, Emergency mode is protected by requiring a password and is set +in /usr/lib/systemd/system/emergency.service. + 3.1.1 + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + IA-2 + AC-3 + CM-6(a) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000080-GPOS-00048 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.06 + DSS06.10 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +service_file="/usr/lib/systemd/system/emergency.service" + +sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency" + +if grep "^ExecStart=.*" "$service_file" ; then + sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" +else + echo "ExecStart=-$sulogin" >> "$service_file" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: require emergency mode password + lineinfile: + create: true + dest: /usr/lib/systemd/system/emergency.service + regexp: ^#?ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.1 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - require_emergency_target_auth + - restrict_strategy + + + + + + + + + + Disable Ctrl-Alt-Del Reboot Activation + By default, SystemD will reboot the system if the Ctrl-Alt-Del +key sequence is pressed. + +To configure the system to ignore the Ctrl-Alt-Del key sequence from the + +command line instead of rebooting the system, do either of the following: +ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target +or +systemctl mask ctrl-alt-del.target + +Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, +as this file may be restored during future system updates. + 3.4.5 + CCI-000366 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SRG-OS-000324-GPOS-00125 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + A locally logged-in user who presses Ctrl-Alt-Del, when at the console, +can reboot the system. If accidentally pressed, as could happen in +the case of mixed OS environment, this can create the risk of short-term +loss of availability of systems due to unintentional reboot. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +systemctl mask --now ctrl-alt-del.target + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable Ctrl-Alt-Del Reboot Activation + systemd: + name: ctrl-alt-del.target + masked: true + state: stopped + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - disable_ctrlaltdel_reboot + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: ctrl-alt-del.target + mask: true + + + + + + + + + + Require Authentication for Single User Mode + Single-user mode is intended as a system recovery +method, providing a single user root access to the system by +providing a boot option at startup. By default, no authentication +is performed if single-user mode is selected. + +By default, single-user mode is protected by requiring a password and is set +in /usr/lib/systemd/system/rescue.service. + 3.1.1 + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + IA-2 + AC-3 + CM-6(a) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000080-GPOS-00048 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.06 + DSS06.10 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + This prevents attackers with physical access from trivially bypassing security +on the machine and gaining root access. Such accesses are further prevented +by configuring the bootloader password. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +service_file="/usr/lib/systemd/system/rescue.service" + +sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" + +if grep "^ExecStart=.*" "$service_file" ; then + sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file" +else + echo "ExecStart=-$sulogin" >> "$service_file" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: require single user mode password + lineinfile: + create: true + dest: /usr/lib/systemd/system/rescue.service + regexp: ^#?ExecStart= + line: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.1 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - require_singleuser_auth + - restrict_strategy + + + + + + + + + + Verify that Interactive Boot is Disabled + Fedora systems support an "interactive boot" option that can +be used to prevent services from being started. On a Fedora +system, interactive boot can be enabled by providing a 1, +yes, true, or on value to the +systemd.confirm_spawn kernel argument in /etc/default/grub. +Remove any instance of systemd.confirm_spawn=(1|yes|true|on) from +the kernel arguments in that file to disable interactive boot. It is also +required to change the runtime configuration, run: +/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" + 3.1.2 + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + SC-2(1) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.PT-3 + FIA_UAU.1 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000480-GPOS-00227 + Using interactive boot, the console user could disable auditing, firewalls, +or other services, weakening system security. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +CONFIRM_SPAWN_YES="systemd.confirm_spawn=\(1\|yes\|true\|on\)" +CONFIRM_SPAWN_NO="systemd.confirm_spawn=no" + +if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub +then + sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub +fi +# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings +/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.4.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-2(1) + - grub2_disable_interactive_boot + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Verify that Interactive Boot is Disabled in /etc/default/grub + replace: + dest: /etc/default/grub + regexp: systemd.confirm_spawn=(1|yes|true|on) + replace: systemd.confirm_spawn=no + when: '"grub2-common" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.4.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-2(1) + - grub2_disable_interactive_boot + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Verify that Interactive Boot is Disabled (runtime) + command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" + when: '"grub2-common" in ansible_facts.packages' + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.4.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-2(1) + - grub2_disable_interactive_boot + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Configure Screen Locking + When a user must temporarily leave an account +logged-in, screen locking should be employed to prevent passersby +from abusing the account. User education and training is +particularly important for screen locking to be effective, and policies +can be implemented to reinforce this. + +Automatic screen locking is only meant as a safeguard for +those cases where a user forgot to lock the screen. + + Hardware Tokens for Authentication + The use of hardware tokens such as smart cards for system login +provides stronger, two-factor authentication than using a username and password. + +In Red Hat Enterprise Linux servers and workstations, hardware token login + +is not enabled by default and must be enabled in the system settings. + + + OpenSC Smart Card Drivers + Choose the Smart Card Driver in use by your organization. +For DoD, choose the cac driver. +If your driver is not listed and you don't want to use the +default driver, use the other option and +manually specify your driver. + default + acos5 + akis + asepcos + atrust-acos + authentic + belpic + cac + cardos + coolkey + cyberflex + dnie + entersafe + epass2003 + flex + gemsafeV1 + gids + gpk + iasecc + incrypto34 + isoApplet + itacns + jpki + MaskTech + mcrd + muscle + myeid + npa + oberthur + openpgp + None + PIV-II + rutoken_ecp + rutoken + sc-hsm + setcos + starcos + tcos + westcos + + + Install the opensc Package For Multifactor Authentication + The opensc package can be installed with the following command: + +$ sudo dnf install opensc + CCI-001954 + CCI-001953 + CM-6(a) + SRG-OS-000375-GPOS-00160 + SRG-OS-000376-GPOS-00161 + SRG-OS-000376-VMM-001520 + 1382 + 1384 + 1386 + Using an authentication device, such as a CAC or token that is separate from +the information system, ensures that even if the information system is +compromised, that compromise will not affect credentials stored on the +authentication device. + +Multifactor solutions that require devices separate from +information systems gaining access include, for example, hardware tokens +providing time-based or challenge-response authenticators and smart cards such +as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "opensc" ; then + dnf install -y "opensc" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure opensc is installed + package: + name: opensc + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_opensc_installed + + include install_opensc + +class install_opensc { + package { 'opensc': + ensure => 'installed', + } +} + + +package --add=opensc + + +[[packages]] +name = "opensc" +version = "*" + + + + + + + + + + Install the pcsc-lite package + The pcsc-lite package can be installed with the following command: + +$ sudo dnf install pcsc-lite + CCI-001954 + CM-6(a) + SRG-OS-000375-GPOS-00160 + SRG-OS-000377-VMM-001530 + 1382 + 1384 + 1386 + The pcsc-lite package must be installed if it is to be available for +multifactor authentication using smartcards. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "pcsc-lite" ; then + dnf install -y "pcsc-lite" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure pcsc-lite is installed + package: + name: pcsc-lite + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_pcsc-lite_installed + + include install_pcsc-lite + +class install_pcsc-lite { + package { 'pcsc-lite': + ensure => 'installed', + } +} + + +package --add=pcsc-lite + + +[[packages]] +name = "pcsc-lite" +version = "*" + + + + + + + + + + Enable the pcscd Service + +The pcscd service can be enabled with the following command: +$ sudo systemctl enable pcscd.service + CCI-001954 + IA-2(1) + IA-2(2) + IA-2(3) + IA-2(4) + IA-2(6) + IA-2(7) + IA-2(11) + CM-6(a) + SRG-OS-000375-GPOS-00160 + SRG-OS-000377-VMM-001530 + 1382 + 1384 + 1386 + Using an authentication device, such as a CAC or token that is separate from +the information system, ensures that even if the information system is +compromised, that compromise will not affect credentials stored on the +authentication device. + +Multifactor solutions that require devices separate from +information systems gaining access include, for example, hardware tokens +providing time-based or challenge-response authenticators and smart cards such +as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'pcscd.service' +"$SYSTEMCTL_EXEC" start 'pcscd.service' +"$SYSTEMCTL_EXEC" enable 'pcscd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service pcscd + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service pcscd + service: + name: pcscd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"pcsc-lite" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_pcscd_enabled + + include enable_pcscd + +class enable_pcscd { + service {'pcscd': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Install Smart Card Packages For Multifactor Authentication + Configure the operating system to implement multifactor authentication by +installing the required package with the following command: + +The openssl-pkcs11 package can be installed with the following command: + +$ sudo dnf install openssl-pkcs11 + CCI-000765 + CCI-001948 + CCI-001953 + CCI-001954 + CM-6(a) + SRG-OS-000105-GPOS-00052 + SRG-OS-000375-GPOS-00160 + SRG-OS-000375-GPOS-00161 + SRG-OS-000377-GPOS-00162 + Using an authentication device, such as a CAC or token that is separate from +the information system, ensures that even if the information system is +compromised, that compromise will not affect credentials stored on the +authentication device. + +Multifactor solutions that require devices separate from +information systems gaining access include, for example, hardware tokens +providing time-based or challenge-response authenticators and smart cards such +as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "openssl-pkcs11" ; then + dnf install -y "openssl-pkcs11" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + include install_openssl-pkcs11 + +class install_openssl-pkcs11 { + package { 'openssl-pkcs11': + ensure => 'installed', + } +} + + +package --add=openssl-pkcs11 + + +[[packages]] +name = "openssl-pkcs11" +version = "*" + + + + + + + + + + Enable Smart Card Login + To enable smart card authentication, consult the documentation at: + + + + + +For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at: +https://access.redhat.com/solutions/82273 + CCI-000764 + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000770 + CCI-000771 + CCI-000772 + CCI-000884 + IA-2(1) + IA-2(2) + IA-2(3) + IA-2(4) + IA-2(6) + IA-2(7) + IA-2(11) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.3 + SRG-OS-000104-GPOS-00051 + SRG-OS-000106-GPOS-00053 + SRG-OS-000107-GPOS-00054 + SRG-OS-000108-GPOS-00055 + SRG-OS-000108-GPOS-00057 + SRG-OS-000108-GPOS-00058 + SRG-OS-000109-GPOS-00056 + SRG-OS-000376-GPOS-00161 + SRG-OS-000377-GPOS-00162 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. + + + + + + + + + + Force opensc To Use Defined Smart Card Driver + The OpenSC smart card tool can auto-detect smart card drivers; however by +forcing the smart card driver in use by your organization, opensc will no longer +autodetect or use other drivers unless specified. This helps to prevent +users from using unauthorized smart cards. The default smart card driver for this +profile is . +To force the OpenSC driver, edit the /etc/opensc-ARCH.conf (where +ARCH is the architecture of your operating system) file. Look for a line +similar to: +# force_card_driver = customcos; +and change it to: +force_card_driver = ; + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000771 + CCI-000772 + CCI-000884 + IA-2(1) + IA-2(2) + IA-2(3) + IA-2(4) + IA-2(6) + IA-2(7) + IA-2(11) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.3 + SRG-OS-000104-GPOS-00051 + SRG-OS-000106-GPOS-00053 + SRG-OS-000107-GPOS-00054 + SRG-OS-000109-GPOS-00056 + SRG-OS-000108-GPOS-00055 + SRG-OS-000108-GPOS-00057 + SRG-OS-000108-GPOS-00058 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + SRG-OS-000376-VMM-001520 + 1382 + 1384 + 1386 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. +Forcing the smart card driver in use by your organization helps to prevent +users from using unauthorized smart cards. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_smartcard_drivers="" + + + +OPENSC_TOOL="/usr/bin/opensc-tool" + +if [ -f "${OPENSC_TOOL}" ]; then + ${OPENSC_TOOL} -S app:default:force_card_driver:$var_smartcard_drivers +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_smartcard_drivers # promote to variable + set_fact: + var_smartcard_drivers: !!str + tags: + - always + +- name: Check existence of opensc conf + stat: + path: /etc/opensc-{{ ansible_architecture }}.conf + register: opensc_conf_fcd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_strategy + - force_opensc_card_drivers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Force smartcard driver block + block: + + - name: Check if force_card_driver is defined + command: /usr/bin/opensc-tool -G app:default:force_card_driver + changed_when: false + register: force_card_driver + + - name: Force opensc To Use Defined Smart Card Driver + command: | + /usr/bin/opensc-tool -S app:default:force_card_driver:{{ var_smartcard_drivers }} + when: + - force_card_driver.stdout != var_smartcard_drivers + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - opensc_conf_fcd.stat.exists + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_strategy + - force_opensc_card_drivers + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Configure NSS DB To Use opensc + The opensc module should be configured for use over the +Coolkey PKCS#11 module in the NSS database. To configure the +NSS database to use the opensc module, run the following +command: +$ sudo pkcs11-switch opensc + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000771 + CCI-000772 + CCI-000884 + IA-2(1) + IA-2(2) + IA-2(3) + IA-2(4) + IA-2(6) + IA-2(7) + IA-2(11) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.3 + SRG-OS-000104-GPOS-00051 + SRG-OS-000106-GPOS-00053 + SRG-OS-000107-GPOS-00054 + SRG-OS-000109-GPOS-00056 + SRG-OS-000108-GPOS-00055 + SRG-OS-000108-GPOS-00057 + SRG-OS-000108-GPOS-00058 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + SRG-OS-000376-VMM-001520 + SRG-OS-000403-VMM-001640 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +PKCSSW=$(/usr/bin/pkcs11-switch) + +if [ ${PKCSSW} != "opensc" ] ; then + ${PKCSSW} opensc +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check existence of pkcs11-switch + stat: + path: /usr/bin/pkcs11-switch + register: pkcs11switch + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_opensc_nss_db + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Get NSS database smart card configuration + command: /usr/bin/pkcs11-switch + changed_when: true + register: pkcsw_output + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - pkcs11switch.stat.exists + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_opensc_nss_db + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Configure NSS DB To Use opensc + command: /usr/bin/pkcs11-switch opensc + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - pkcs11switch.stat.exists and pkcsw_output.stdout != "opensc" + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_opensc_nss_db + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Configure opensc Smart Card Drivers + The OpenSC smart card tool can auto-detect smart card drivers; however, +setting the smart card drivers in use by your organization helps to prevent +users from using unauthorized smart cards. The default smart card driver for this +profile is . +To configure the OpenSC driver, edit the /etc/opensc-ARCH.conf (where +ARCH is the architecture of your operating system) file. Look for a +line similar to: +# card_drivers = old, internal; +and change it to: +card_drivers = ; + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-000771 + CCI-000772 + CCI-000884 + IA-2(1) + IA-2(2) + IA-2(3) + IA-2(4) + IA-2(6) + IA-2(7) + IA-2(11) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.3 + SRG-OS-000104-GPOS-00051 + SRG-OS-000106-GPOS-00053 + SRG-OS-000107-GPOS-00054 + SRG-OS-000109-GPOS-00056 + SRG-OS-000108-GPOS-00055 + SRG-OS-000108-GPOS-00057 + SRG-OS-000108-GPOS-00058 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + SRG-OS-000376-VMM-001520 + 1382 + 1384 + 1386 + Smart card login provides two-factor authentication stronger than +that provided by a username and password combination. Smart cards leverage PKI +(public key infrastructure) in order to provide and verify credentials. +Configuring the smart card driver in use by your organization helps to prevent +users from using unauthorized smart cards. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_smartcard_drivers="" + + + +OPENSC_TOOL="/usr/bin/opensc-tool" + +if [ -f "${OPENSC_TOOL}" ]; then + ${OPENSC_TOOL} -S app:default:card_drivers:$var_smartcard_drivers +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_smartcard_drivers # promote to variable + set_fact: + var_smartcard_drivers: !!str + tags: + - always + +- name: Check existence of opensc conf + stat: + path: /etc/opensc-{{ ansible_architecture }}.conf + register: opensc_conf_cd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_opensc_card_drivers + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Configure smartcard driver block + block: + + - name: Check if card_drivers is defined + command: /usr/bin/opensc-tool -G app:default:card_drivers + changed_when: false + register: card_drivers + + - name: Configure opensc Smart Card Drivers + command: | + /usr/bin/opensc-tool -S app:default:card_drivers:{{ var_smartcard_drivers }} + when: + - card_drivers.stdout != var_smartcard_drivers + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - opensc_conf_cd.stat.exists + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2(1) + - NIST-800-53-IA-2(11) + - NIST-800-53-IA-2(2) + - NIST-800-53-IA-2(3) + - NIST-800-53-IA-2(4) + - NIST-800-53-IA-2(6) + - NIST-800-53-IA-2(7) + - PCI-DSS-Req-8.3 + - configure_opensc_card_drivers + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + + Configure Console Screen Locking + A console screen locking mechanism is a temporary action taken when a user +stops work and moves away from the immediate physical vicinity of the +information system but does not logout because of the temporary nature of +the absence. Rather than relying on the user to manually lock their +operation system session prior to vacating the vicinity, operating systems +need to be able to identify when a user's session has idled and take action +to initiate the session lock. + + Install the screen Package + To enable console screen locking, install the screen package. +The screen package can be installed with the following command: + +$ sudo dnf install screen +Instruct users to begin new terminal sessions with the following command: +$ screen +The console can now be locked with the following key combination: +ctrl+a x + 3.1.10 + CCI-000057 + CCI-000058 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000029-GPOS-00010 + SRG-OS-000030-VMM-000110 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, +operating systems need to be able to identify when a user's session has idled and take action to initiate the +session lock. + +The screen package allows for a session lock to be implemented and configured. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "screen" ; then + dnf install -y "screen" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure screen is installed + package: + name: screen + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_screen_installed + + include install_screen + +class install_screen { + package { 'screen': + ensure => 'installed', + } +} + + +package --add=screen + + +[[packages]] +name = "screen" +version = "*" + + + + + + + + + + Install the tmux Package + To enable console screen locking, install the tmux package. +The tmux package can be installed with the following command: + +$ sudo dnf install tmux +Instruct users to begin new terminal sessions with the following command: +$ tmux +The console can now be locked with the following key combination: +ctrl+b :lock-session + 3.1.10 + CCI-000058 + CCI-000056 + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000030-GPOS-00011 + SRG-OS-000028-GPOS-00009 + SRG-OS-000030-VMM-000110 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate +physical vicinity of the information system but does not logout because of the temporary nature of the absence. +Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, +operating systems need to be able to identify when a user's session has idled and take action to initiate the +session lock. + +The tmux package allows for a session lock to be implemented and configured. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "tmux" ; then + dnf install -y "tmux" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure tmux is installed + package: + name: tmux + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.10 + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_tmux_installed + + include install_tmux + +class install_tmux { + package { 'tmux': + ensure => 'installed', + } +} + + +package --add=tmux + + +[[packages]] +name = "tmux" +version = "*" + + + + + + + + + + Prevent user from disabling the screen lock + The tmux terminal multiplexer is used to implement +automatic session locking. It should not be listed in +/etc/shells. + FMT_SMF_EXT.1 + SRG-OS-000324-GPOS-00125 + SRG-OS-000028-GPOS-00009 + CCI-000056 + Not listing tmux among permitted shells +prevents malicious program running as user +from lowering security by disabling the screen lock. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if grep -q 'tmux$' /etc/shells ; then + sed -i '/tmux$/d' /etc/shells +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,/bin/sh%0A/bin/bash%0A/usr/bin/sh%0A/usr/bin/bash%0A + mode: 0644 + path: /etc/shells + overwrite: true + + + + + + + + + + Configure the tmux Lock Command + To enable console screen locking in tmux terminal multiplexer, +the vlock command must be configured to be used as a locking +mechanism. +Add the following line to /etc/tmux.conf: +set -g lock-command vlock. +The console can now be locked with the following key combination: +ctrl+b :lock-session + CCI-000056 + CCI-000058 + AC-11(a) + AC-11(b) + CM-6(a) + SRG-OS-000028-VMM-000090 + SRG-OS-000030-VMM-000110 + SRG-OS-000028-GPOS-00009 + The tmux package allows for a session lock to be implemented and configured. +However, the session lock is implemented by an external command. The tmux +default configuration does not contain an effective session lock. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +tmux_conf="/etc/tmux.conf" + +if grep -qP '^\s*set\s+-g\s+lock-command' "$tmux_conf" ; then + sed -i 's/^\s*set\s\+-g\s\+lock-command.*$/set -g lock-command vlock/' "$tmux_conf" +else + echo "set -g lock-command vlock" >> "$tmux_conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Configure the tmux Lock Command + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/tmux.conf + create: false + regexp: ^\s*set -g lock-command\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/tmux.conf + lineinfile: + path: /etc/tmux.conf + create: false + regexp: ^\s*set -g lock-command\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/tmux.conf + lineinfile: + path: /etc/tmux.conf + create: true + regexp: ^\s*set -g lock-command\s+ + line: set -g lock-command vlock + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-11(a) + - NIST-800-53-AC-11(b) + - NIST-800-53-CM-6(a) + - configure_tmux_lock_command + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Configure tmux to lock session after inactivity + To enable console screen locking in tmux terminal multiplexer +after a period of inactivity, +the lock-after-time option has to be set to nonzero value in +/etc/tmux.conf. + FMT_SMF_EXT.1 + SRG-OS-000029-GPOS-00010 + CCI-000057 + Locking the session after a period of inactivity limits the +potential exposure if the session is left unattended. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +tmux_conf="/etc/tmux.conf" + +if grep -qP '^\s*set\s+-g\s+lock-after-time' "$tmux_conf" ; then + sed -i 's/^\s*set\s\+-g\s\+lock-after-time.*$/set -g lock-after-time 900/' "$tmux_conf" +else + echo "set -g lock-after-time 900" >> "$tmux_conf" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Configure tmux to lock session after inactivity + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/tmux.conf + create: false + regexp: ^\s*set -g lock-after-time\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/tmux.conf + lineinfile: + path: /etc/tmux.conf + create: false + regexp: ^\s*set -g lock-after-time\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/tmux.conf + lineinfile: + path: /etc/tmux.conf + create: true + regexp: ^\s*set -g lock-after-time\s+ + line: set -g lock-after-time 900 + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_tmux_lock_after_time + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Support session locking with tmux + The tmux terminal multiplexer is used to implement +automatic session locking. It should be started from +/etc/bashrc. + FMT_SMF_EXT.1 + SRG-OS-000031-GPOS-00012 + SRG-OS-000028-GPOS-00009 + CCI-000056 + Unlike bash itself, the tmux terminal multiplexer +provides a mechanism to lock sessions after period of inactivity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! grep -x ' case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then + cat >> /etc/bashrc <<'EOF' +if [ "$PS1" ]; then + parent=$(ps -o ppid= -p $$) + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac +fi +EOF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + + + Protect Accounts by Restricting Password-Based Login + Conventionally, Unix shell accounts are accessed by +providing a username and password to a login program, which tests +these values for correctness using the /etc/passwd and +/etc/shadow files. Password-based login is vulnerable to +guessing of weak passwords, and to sniffing and man-in-the-middle +attacks against passwords entered over a network or at an insecure +console. Therefore, mechanisms for accessing accounts by entering +usernames and passwords should be restricted to those which are +operationally necessary. + + Set Password Expiration Parameters + The file /etc/login.defs controls several +password-related settings. Programs such as passwd, +su, and +login consult /etc/login.defs to determine +behavior with regard to password aging, expiration warnings, +and length. See the man page login.defs(5) for more information. + +Users should be forced to change their passwords, in order to +decrease the utility of compromised passwords. However, the need to +change passwords often should be balanced against the risk that +users will reuse or write down passwords if forced to change them +too often. Forcing password changes every 90-360 days, depending on +the environment, is recommended. Set the appropriate value as +PASS_MAX_DAYS and apply it to existing accounts with the +-M flag. + +The PASS_MIN_DAYS (-m) setting prevents password +changes for 7 days after the first change, to discourage password +cycling. If you use this setting, train users to contact an administrator +for an emergency password change in case a new password becomes +compromised. The PASS_WARN_AGE (-W) setting gives +users 7 days of warnings at login time that their passwords are about to expire. + +For example, for each existing human user USER, expiration parameters +could be adjusted to a 180 day maximum password age, 7 day minimum password +age, and 7 day warning period with the following command: +$ sudo chage -M 180 -m 7 -W 7 USER + + maximum password age + Maximum age of password in days + This will only apply to newly created accounts + 365 + 120 + 180 + 60 + 90 + 60 + + + minimum password age + Minimum age of password in days + This will only apply to newly created accounts + 0 + 1 + 2 + 5 + 7 + 7 + + + minimum password length + Minimum number of characters in password + This will only check new passwords + 10 + 12 + 14 + 15 + 18 + 20 + 6 + 8 + 15 + + + warning days before password expires + The number of days' warning given before a password expires. + This will only apply to newly created accounts + 0 + 14 + 7 + 7 + + + Set Password Warning Age + To specify how many days prior to password +expiration that a warning will be issued to users, +edit the file /etc/login.defs and add or correct + the following line: +PASS_WARN_AGE +The DoD requirement is 7. +The profile requirement is . + 3.5.8 + IA-5(f) + IA-5(1)(d) + CM-6(a) + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.12.4.1 + A.12.4.3 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + 0418 + 1055 + 1402 + Setting the password warning age enables users to +make the change at a practical time. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + + +declare var_accounts_password_warn_age_login_defs +var_accounts_password_warn_age_login_defs="" + + + +grep -q ^PASS_WARN_AGE /etc/login.defs && \ +sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-171-3.5.8 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - accounts_password_warn_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_password_warn_age_login_defs # promote to variable + set_fact: + var_accounts_password_warn_age_login_defs: !!str + tags: + - always + +- name: Set Password Warning Age + lineinfile: + dest: /etc/login.defs + regexp: ^PASS_WARN_AGE *[0-9]* + state: present + line: PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }} + create: true + when: '"login" in ansible_facts.packages' + tags: + - NIST-800-171-3.5.8 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - accounts_password_warn_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set Password Minimum Age + To specify password minimum age for new accounts, +edit the file /etc/login.defs +and add or correct the following line: +PASS_MIN_DAYS +A value of 1 day is considered sufficient for many +environments. The DoD requirement is 1. +The profile requirement is . + 5.6.2.1.1 + 3.5.8 + CCI-000198 + IA-5(f) + IA-5(1)(d) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000075-GPOS-00043 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0418 + 1055 + 1402 + Enforcing a minimum password lifetime helps to prevent repeated password +changes to defeat the password reuse or history enforcement requirement. If +users are allowed to immediately and continually change their password, +then the password could be repeatedly changed in a short period of time to +defeat the organization's policy regarding password reuse. + +Setting the minimum password age protects against users cycling back to a +favorite password after satisfying the password reuse requirement. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + + +declare var_accounts_minimum_age_login_defs +var_accounts_minimum_age_login_defs="" + + + +grep -q ^PASS_MIN_DAYS /etc/login.defs && \ +sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - accounts_minimum_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable + set_fact: + var_accounts_minimum_age_login_defs: !!str + tags: + - always + +- name: Set Password Minimum Age + lineinfile: + create: true + dest: /etc/login.defs + regexp: ^#?PASS_MIN_DAYS + line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }} + when: '"login" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.8 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - accounts_minimum_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set Password Maximum Age + To specify password maximum age for new accounts, +edit the file /etc/login.defs +and add or correct the following line: +PASS_MAX_DAYS +A value of 180 days is sufficient for many environments. +The DoD requirement is 60. +The profile requirement is . + 5.6.2.1 + 3.5.6 + CCI-000199 + IA-5(f) + IA-5(1)(d) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.4 + SRG-OS-000076-GPOS-00044 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 0418 + 1055 + 1402 + BP28(R18) + Any password, no matter how complex, can eventually be cracked. Therefore, passwords +need to be changed periodically. If the operating system does not limit the lifetime +of passwords and force users to change their passwords, there is the risk that the +operating system passwords could be compromised. + +Setting the password maximum age ensures users are required to +periodically change their passwords. Requiring shorter password lifetimes +increases the risk of users writing down the password in a convenient +location subject to physical compromise. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + + +var_accounts_maximum_age_login_defs="" + + + +grep -q ^PASS_MAX_DAYS /etc/login.defs && \ + sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ]; then + echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1 + - NIST-800-171-3.5.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable + set_fact: + var_accounts_maximum_age_login_defs: !!str + tags: + - always + +- name: Set Password Maximum Age + lineinfile: + create: true + dest: /etc/login.defs + regexp: ^#?PASS_MAX_DAYS + line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }} + when: '"login" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1 + - NIST-800-171-3.5.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(d) + - NIST-800-53-IA-5(f) + - PCI-DSS-Req-8.2.4 + - accounts_maximum_age_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set Password Minimum Length in login.defs + To specify password length requirements for new accounts, edit the file +/etc/login.defs and add or correct the following line: +PASS_MIN_LEN + +The DoD requirement is 15. +The FISMA requirement is 12. +The profile requirement is +. +If a program consults /etc/login.defs and also another PAM module +(such as pam_pwquality) during a password change operation, then +the most restrictive must be satisfied. See PAM section for more +information about enforcing password quality requirements. + 5.6.2.1 + 3.5.7 + IA-5(f) + IA-5(1)(a) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + FMT_MOF_EXT.1 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + SRG-OS-000078-GPOS-00046 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + BP28(R18) + CCI-000205 + Requiring a minimum password length makes password +cracking attacks more difficult by ensuring a larger +search space. However, any security benefit from an onerous requirement +must be carefully weighed against usability problems, support costs, or counterproductive +behavior that may result. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + + +declare var_accounts_password_minlen_login_defs +var_accounts_password_minlen_login_defs="" + + + +grep -q ^PASS_MIN_LEN /etc/login.defs && \ +sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs +if ! [ $? -eq 0 ] +then + echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1 + - NIST-800-171-3.5.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(f) + - accounts_password_minlen_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_password_minlen_login_defs # promote to variable + set_fact: + var_accounts_password_minlen_login_defs: !!str + tags: + - always + +- name: Set Password Minimum Length in login.defs + lineinfile: + dest: /etc/login.defs + regexp: ^PASS_MIN_LEN *[0-9]* + state: present + line: PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }} + create: true + when: '"login" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1 + - NIST-800-171-3.5.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(f) + - accounts_password_minlen_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + + Restrict Root Logins + Direct root logins should be allowed only for emergency use. +In normal situations, the administrator should access the system +via a unique unprivileged account, and then use su or sudo to execute +privileged commands. Discouraging administrators from accessing the +root account directly ensures an audit trail in organizations with +multiple administrators. Locking down the channels through which +root can connect directly also reduces opportunities for +password-guessing against the root account. The login program +uses the file /etc/securetty to determine which interfaces +should allow root logins. + +The virtual devices /dev/console +and /dev/tty* represent the system consoles (accessible via +the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default +installation). The default securetty file also contains /dev/vc/*. +These are likely to be deprecated in most environments, but may be retained +for compatibility. Root should also be prohibited from connecting +via network protocols. Other sections of this document +include guidance describing how to prevent root from logging in via SSH. + + Enforce usage of pam_wheel for su authentication + To ensure that only users who are members of the wheel group can +run commands with altered privileges through the su command, make +sure that the following line exists in the file /etc/pam.d/su: +auth required pam_wheel.so use_uid + FMT_SMF_EXT.1.1 + SRG-OS-000373-GPOS-00156 + SRG-OS-000312-GPOS-00123 + The su program allows to run commands with a substitute user and +group ID. It is commonly used to run commands as the root user. Limiting +access to such command is considered a good security practice. + #!/bin/bash + +# uncomment the option if commented + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su + + - name: restrict usage of su command only to members of wheel group + replace: + path: /etc/pam.d/su + regexp: ^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ + replace: auth required pam_wheel.so use_uid + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - use_pam_wheel_for_su + + + + + + + + + + Restrict Virtual Console Root Logins + To restrict root logins through the (deprecated) virtual console devices, +ensure lines of this form do not appear in /etc/securetty: +vc/1 +vc/2 +vc/3 +vc/4 + 3.1.1 + 3.1.5 + CCI-000770 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + AC-6 + CM-6(a) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000324-GPOS-00125 + Preventing direct root login to virtual console devices +helps ensure accountability for actions taken on the system +using the root account. + sed -i '/^vc\//d' /etc/securetty + + - name: Restrict Virtual Console Root Logins + lineinfile: + dest: /etc/securetty + regexp: ^vc + state: absent + tags: + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-6 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - securetty_root_login_console_only + + + + + + + + + + Restrict Serial Port Root Logins + To restrict root logins on serial ports, +ensure lines of this form do not appear in /etc/securetty: +ttyS0 +ttyS1 + 3.1.1 + 3.1.5 + CCI-000770 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + AC-6 + CM-6(a) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Preventing direct root login to serial port interfaces +helps ensure accountability for actions taken on the systems +using the root account. + sed -i '/ttyS/d' /etc/securetty + + - name: Restrict Serial Port Root Logins + lineinfile: + dest: /etc/securetty + regexp: ttyS[0-9] + state: absent + tags: + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-6 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_serial_port_logins + - restrict_strategy + + + + + + + + + + Ensure that System Accounts Do Not Run a Shell Upon Login + Some accounts are not associated with a human user of the system, and exist to +perform some administrative function. Should an attacker be able to log into +these accounts, they should not be granted access to a shell. + +The login shell for each local account is stored in the last field of each line +in /etc/passwd. System accounts are those user accounts with a user ID +less than UID_MIN, where value of UID_MIN directive is set in +/etc/login.defs configuration file. In the default configuration UID_MIN is set +to 1000, thus system accounts are those user accounts with a user ID less than +1000. The user ID is stored in the third field. If any system account +SYSACCT (other than root) has a login shell, disable it with the +command: $ sudo usermod -s /sbin/nologin SYSACCT + Do not perform the steps in this section on the root account. Doing so might +cause the system to become inaccessible. + AC-6 + CM-6(a) + CCI-000366 + SRG-OS-000480-GPOS-00227 + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + SR 1.1 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.12.4.1 + A.12.4.3 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + 1491 + Ensuring shells are not given to system accounts upon login makes it more +difficult for attackers to make use of system accounts. + + + + + + + + + Direct root Logins Not Allowed + To further limit access to the root account, administrators +can disable root logins at the console by editing the /etc/securetty file. +This file lists all devices the root user is allowed to login to. If the file does +not exist at all, the root user can login through any communication device on the +system, whether via the console or via a raw network interface. This is dangerous +as user can login to the system as root via Telnet, which sends the password in +plain text over the network. By default, Fedora's +/etc/securetty file only allows the root user to login at the console +physically attached to the system. To prevent root from logging in, remove the +contents of this file. To prevent direct root logins, remove the contents of this +file by typing the following command: + +$ sudo echo > /etc/securetty + + 3.1.1 + 3.1.6 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + IA-2 + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + BP28(R19) + Disabling direct root logins ensures proper accountability and multifactor +authentication to privileged accounts. Users will first login, then escalate +to privileged (root) access via su / sudo. This is required for FISMA Low +and FISMA Moderate systems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +echo > /etc/securetty + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Direct root Logins Not Allowed + copy: + dest: /etc/securetty + content: '' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-2 + - low_complexity + - low_disruption + - medium_severity + - no_direct_root_logins + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:, + mode: 0600 + path: /etc/securetty + overwrite: true + + + + + + + + + + Verify Only Root Has UID 0 + If any account other than root has a UID of 0, this misconfiguration should +be investigated and the accounts other than root should be removed or have +their UID changed. + +If the account is associated with system commands or applications the UID +should be changed to one greater than "0" but less than "1000." +Otherwise assign a UID greater than "1000" that has not already been +assigned. + 3.1.1 + 3.1.5 + CCI-000366 + IA-2 + AC-6(5) + IA-4(b) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 5.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + APO01.06 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.02 + DSS06.03 + DSS06.10 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + An account has root authority if it has a UID of 0. Multiple accounts +with a UID of 0 afford more opportunity for potential intruders to +guess a password for a privileged account. Proper configuration of +sudo is recommended to afford multiple system administrators +access to root privileges in an accountable manner. + + + + + + + + + Restrict Web Browser Use for Administrative Accounts + Enforce policy requiring administrative accounts use web browsers only for +local service administration. + If a browser vulnerability is exploited while running with administrative privileges, +the entire system could be compromised. Specific exceptions for local service +administration should be documented in site-defined policy. + + + + + + Ensure that System Accounts Are Locked + Some accounts are not associated with a human user of the system, and exist to +perform some administrative function. An attacker should not be able to log into +these accounts. + +System accounts are those user accounts with a user ID +less than UID_MIN, where value of the UID_MIN directive is set in +/etc/login.defs configuration file. In the default configuration UID_MIN is set +to 500, thus system accounts are those user accounts with a user ID less than +500. If any system account SYSACCT (other than root) has an unlocked password, +disable it with the command: +$ sudo passwd -l SYSACCT + AC-6 + CM-6(a) + Disabling authentication for default system accounts makes it more difficult +for attackers to make use of them to compromise a system.false + + + + + + Root Path Must Be Vendor Default + Assuming root shell is bash, edit the following files: +~/.profile +~/.bashrc +Change any PATH variables to the vendor default for root and remove any +empty PATH entries or references to relative paths. + CM-6(a) + PR.IP-2 + 4.3.4.3.3 + APO13.01 + BAI03.01 + BAI03.02 + BAI03.03 + A.14.1.1 + A.14.2.1 + A.14.2.5 + A.6.1.5 + 18 + The root account's executable search path must be the vendor default, and must +contain only absolute paths. + + + + + + + Verify Proper Storage and Existence of Password +Hashes + By default, password hashes for local accounts are stored +in the second field (colon-separated) in +/etc/shadow. This file should be readable only by +processes running with root credentials, preventing users from +casually accessing others' password hashes and attempting +to crack them. +However, it remains possible to misconfigure the system +and store password hashes +in world-readable files such as /etc/passwd, or +to even store passwords themselves in plaintext on the system. +Using system-provided tools for password change/creation +should allow administrators to avoid such misconfiguration. + + Password Hashing algorithm + Specify the number of SHA rounds for the system password encryption algorithm. +Defines the value set in /etc/pam.d/system-auth and /etc/pam.d/password-auth + 5000 + 5000 + 65536 + + + All GIDs referenced in /etc/passwd must be defined in /etc/group + Add a group to the system for each GID referenced without a corresponding group. + 5.5.2 + CCI-000764 + IA-2 + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.5.a + SRG-OS-000104-GPOS-00051 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group +with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to +any files associated with the group. + + + + + + + + + Ensure there are no legacy + NIS entries in /etc/shadow + The + character in /etc/shadow file marks a place where +entries from a network information service (NIS) should be directly inserted. + Using this method to include entries into /etc/shadow is considered legacy +and should be avoided. These entries may provide a way for an attacker +to gain access to the system. + +if grep -q '^\+' /etc/shadow; then +# backup old file to /etc/shadow- + cp /etc/shadow /etc/shadow- + sed -i '/^\+.*$/d' /etc/shadow +fi + + - name: Backup the old /etc/shadow file + copy: + src: /etc/shadow + dest: /etc/shadow- + remote_src: true + tags: + - low_complexity + - medium_disruption + - medium_severity + - no_legacy_plus_entries_etc_shadow + - no_reboot_needed + - restrict_strategy + +- name: Remove lines starting with + from /etc/shadow + lineinfile: + regexp: ^\+.*$ + state: absent + path: /etc/shadow + tags: + - low_complexity + - medium_disruption + - medium_severity + - no_legacy_plus_entries_etc_shadow + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Verify No netrc Files Exist + The .netrc files contain login information +used to auto-login into FTP servers and reside in the user's home +directory. These files may contain unencrypted passwords to +remote FTP servers making them susceptible to access by unauthorized +users and should not be used. Any .netrc files should be removed. + CCI-000196 + IA-5(h) + IA-5(1)(c) + CM-6(a) + IA-5(7) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.06 + DSS06.10 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + Unencrypted passwords for remote FTP servers may be stored in .netrc +files. + + + + + + + + + Verify All Account Password Hashes are Shadowed + If any password hashes are stored in /etc/passwd (in the second field, +instead of an x or *), the cause of this misconfiguration should be +investigated. The account should have its password reset and the hash should be +properly stored, or the account should be deleted entirely. + 5.5.2 + 3.5.10 + IA-5(h) + CM-6(a) + PR.AC-1 + PR.AC-6 + PR.AC-7 + Req-8.2.1 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 1410 + The hashes for all user account passwords should be stored in +the file /etc/shadow and never in /etc/passwd, +which is readable by all users. + + + + + + + + + Prevent Login to Accounts With Empty Password + If an account is configured for password authentication +but does not have an assigned password, it may be possible to log +into the account without authentication. Remove any instances of the +nullok in + +/etc/pam.d/system-auth + +to prevent logins with empty passwords. + 5.5.2 + 3.1.1 + 3.1.5 + CCI-000366 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + IA-5(1)(a) + IA-5(c) + CM-6(a) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.DS-5 + FIA_UAU.1 + Req-8.2.3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 5.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + APO01.06 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.02 + DSS06.03 + DSS06.10 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + If an account has an empty password, anyone could log in and +run commands with the privileges of that account. Accounts with +empty passwords should never be used in operational environments. + sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/system-auth +sed --follow-symlinks -i 's/\<nullok\>//g' /etc/pam.d/password-auth + + - name: Prevent Log In to Accounts With Empty Password - system-auth + replace: + dest: /etc/pam.d/system-auth + regexp: nullok + tags: + - CJIS-5.5.2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_empty_passwords + - no_reboot_needed + +- name: Prevent Log In to Accounts With Empty Password - password-auth + replace: + dest: /etc/pam.d/password-auth + regexp: nullok + tags: + - CJIS-5.5.2 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(a) + - NIST-800-53-IA-5(c) + - PCI-DSS-Req-8.2.3 + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_empty_passwords + - no_reboot_needed + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A + mode: 0644 + path: /etc/pam.d/password-auth + overwrite: true + - contents: + source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A + mode: 0644 + path: /etc/pam.d/system-auth + overwrite: true + + + + + + + + + + Set number of Password Hashing Rounds - password-auth + Configure the number or rounds for the password hashing algorithm. This can be +accomplished by using the rounds option for the pam_unix PAM module. + +In file /etc/pam.d/password-auth append rounds= +to the pam_unix.so file, as shown below: +password sufficient pam_unix.so ...existing_options... rounds= +The system's default number of rounds is 5000. + Setting a high number of hashing rounds makes it more difficult to brute force the password, +but requires more CPU resources to authenticate users. + BP28(R32) + SRG-OS-000073-GPOS-00041 + CCI-000196 + Using a higher number of rounds makes password cracking attacks more difficult. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_unix_rounds="" + + + +pamFile="/etc/pam.d/password-auth" + +if grep -q "rounds=" $pamFile; then + sed -iP --follow-symlinks "/password[[:space:]]\+sufficient[[:space:]]\+pam_unix\.so/ \ + s/rounds=[[:digit:]]\+/rounds=$var_password_pam_unix_rounds/" $pamFile +else + sed -iP --follow-symlinks "/password[[:space:]]\+sufficient[[:space:]]\+pam_unix\.so/ s/$/ rounds=$var_password_pam_unix_rounds/" $pamFile +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - accounts_password_pam_unix_rounds_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed +- name: XCCDF Value var_password_pam_unix_rounds # promote to variable + set_fact: + var_password_pam_unix_rounds: !!str + tags: + - always + +- name: Configure number of password-auth password hashing rounds in pam_unix.so + pamd: + name: password-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: rounds={{ var_password_pam_unix_rounds }} + state: args_present + when: '"pam" in ansible_facts.packages' + tags: + - accounts_password_pam_unix_rounds_password_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Ensure there are no legacy + NIS entries in /etc/passwd + The + character in /etc/passwd file marks a place where +entries from a network information service (NIS) should be directly inserted. + Using this method to include entries into /etc/passwd is considered legacy +and should be avoided. These entries may provide a way for an attacker +to gain access to the system. + +if grep -q '^\+' /etc/passwd; then +# backup old file to /etc/passwd- + cp /etc/passwd /etc/passwd- + sed -i '/^\+.*$/d' /etc/passwd +fi + + - name: Backup the old /etc/passwd file + copy: + src: /etc/passwd + dest: /etc/passwd- + remote_src: true + tags: + - low_complexity + - medium_disruption + - medium_severity + - no_legacy_plus_entries_etc_passwd + - no_reboot_needed + - restrict_strategy + +- name: Remove lines starting with + from /etc/passwd + lineinfile: + regexp: ^\+.*$ + state: absent + path: /etc/passwd + tags: + - low_complexity + - medium_disruption + - medium_severity + - no_legacy_plus_entries_etc_passwd + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Set number of Password Hashing Rounds - system-auth + Configure the number or rounds for the password hashing algorithm. This can be +accomplished by using the rounds option for the pam_unix PAM module. + +In file /etc/pam.d/system-auth append rounds= +to the pam_unix.so file, as shown below: +password sufficient pam_unix.so ...existing_options... rounds= +The system's default number of rounds is 5000. + Setting a high number of hashing rounds makes it more difficult to brute force the password, +but requires more CPU resources to authenticate users. + BP28(R32) + SRG-OS-000073-GPOS-00041 + CCI-000196 + Using a higher number of rounds makes password cracking attacks more difficult. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q pam; then + + +var_password_pam_unix_rounds="" + + + +pamFile="/etc/pam.d/system-auth" + +if grep -q "rounds=" $pamFile; then + sed -iP --follow-symlinks "/password[[:space:]]\+sufficient[[:space:]]\+pam_unix\.so/ \ + s/rounds=[[:digit:]]\+/rounds=$var_password_pam_unix_rounds/" $pamFile +else + sed -iP --follow-symlinks "/password[[:space:]]\+sufficient[[:space:]]\+pam_unix\.so/ s/$/ rounds=$var_password_pam_unix_rounds/" $pamFile +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - accounts_password_pam_unix_rounds_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed +- name: XCCDF Value var_password_pam_unix_rounds # promote to variable + set_fact: + var_password_pam_unix_rounds: !!str + tags: + - always + +- name: Configure number of system-auth password hashing rounds in pam_unix.so + pamd: + name: system-auth + type: password + control: sufficient + module_path: pam_unix.so + module_arguments: rounds={{ var_password_pam_unix_rounds }} + state: args_present + when: '"pam" in ansible_facts.packages' + tags: + - accounts_password_pam_unix_rounds_system_auth + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Ensure there are no legacy + NIS entries in /etc/group + The + character in /etc/group file marks a place where +entries from a network information service (NIS) should be directly inserted. + Using this method to include entries into /etc/group is considered legacy +and should be avoided. These entries may provide a way for an attacker +to gain access to the system. + +if grep -q '^\+' /etc/group; then +# backup old file to /etc/group- + cp /etc/group /etc/group- + sed -i '/^\+.*$/d' /etc/group +fi + + - name: Backup the old /etc/group file + copy: + src: /etc/group + dest: /etc/group- + remote_src: true + tags: + - low_complexity + - medium_disruption + - medium_severity + - no_legacy_plus_entries_etc_group + - no_reboot_needed + - restrict_strategy + +- name: Remove lines starting with + from /etc/group + lineinfile: + regexp: ^\+.*$ + state: absent + path: /etc/group + tags: + - low_complexity + - medium_disruption + - medium_severity + - no_legacy_plus_entries_etc_group + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set Account Expiration Parameters + Accounts can be configured to be automatically disabled +after a certain time period, +meaning that they will require administrator interaction to become usable again. +Expiration of accounts after inactivity can be set for all accounts by default +and also on a per-account basis, such as for accounts that are known to be temporary. +To configure automatic expiration of an account following +the expiration of its password (that is, after the password has expired and not been changed), +run the following command, substituting NUM_DAYS and USER appropriately: +$ sudo chage -I NUM_DAYS USER +Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the +-E option. +The file /etc/default/useradd controls +default settings for all newly-created accounts created with the system's +normal command line utilities. + This will only apply to newly created accounts + + number of days after a password expires until the account is permanently disabled + The number of days to wait after a password expires, until the account will be permanently disabled. + 0 + 180 + 30 + 35 + 40 + 60 + 90 + 35 + + + Assign Expiration Date to Temporary Accounts + Temporary accounts are established as part of normal account activation +procedures when there is a need for short-term accounts. In the event +temporary or emergency accounts are required, configure the system to +terminate them after a documented time period. For every temporary and +emergency account, run the following command to set an expiration date on +it, substituting USER and YYYY-MM-DD +appropriately: +$ sudo chage -E YYYY-MM-DD USER +YYYY-MM-DD indicates the documented expiration date for the +account. For U.S. Government systems, the operating system must be +configured to automatically terminate these types of accounts after a +period of 72 hours. + CCI-000016 + CCI-001682 + AC-2(2) + AC-2(3) + CM-6(a) + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + SRG-OS-000123-GPOS-00064 + SRG-OS-000002-GPOS-00002 + SRG-OS-000002-VMM-000020 + SRG-OS-000123-VMM-000620 + SR 1.1 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.12.4.1 + A.12.4.3 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + If temporary user accounts remain active when no longer needed or for +an excessive period, these accounts may be used to gain unauthorized access. +To mitigate this risk, automated termination of all temporary accounts +must be set upon account creation. + + + + + + + Use Centralized and Automated Authentication + Implement an automated system for managing user accounts that minimizes the +risk of errors, either intentional or deliberate. This system +should integrate with an existing enterprise user management system, such as +one based on Identity Management tools such as Active Directory, Kerberos, +Directory Server, etc. + A comprehensive account management process that includes automation helps to +ensure the accounts designated as requiring attention are consistently and +promptly addressed. Enterprise environments make user account management +challenging and complex. A user management process requiring administrators to +manually address account management functions adds risk of potential +oversight. + + + + + + Set Account Expiration Following Inactivity + To specify the number of days after a password expires (which +signifies inactivity) until an account is permanently disabled, add or correct +the following line in /etc/default/useradd: +INACTIVE= +If a password is currently on the verge of expiration, then + +day(s) remain(s) until the account is automatically +disabled. However, if the password will not expire for another 60 days, then 60 +days plus day(s) could +elapse until the account would be automatically disabled. See the +useradd man page for more information. + 5.6.2.1.1 + 3.5.6 + CCI-000017 + CCI-000795 + IA-4(e) + AC-2(3) + CM-6(a) + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + Req-8.1.4 + SRG-OS-000118-GPOS-00060 + SRG-OS-000003-VMM-000030 + SRG-OS-000118-VMM-000590 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.12.4.1 + A.12.4.3 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + Disabling inactive accounts ensures that accounts which may not +have been responsibly removed are not available to attackers +who may have compromised their credentials. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + + +var_account_disable_post_pw_expiration="" + +replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '' '%s=%s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_account_disable_post_pw_expiration # promote to variable + set_fact: + var_account_disable_post_pw_expiration: !!str + tags: + - always + +- name: Set Account Expiration Following Inactivity + lineinfile: + create: true + dest: /etc/default/useradd + regexp: ^INACTIVE + line: INACTIVE={{ var_account_disable_post_pw_expiration }} + when: '"login" in ansible_facts.packages' + tags: + - CJIS-5.6.2.1.1 + - NIST-800-171-3.5.6 + - NIST-800-53-AC-2(3) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-4(e) + - PCI-DSS-Req-8.1.4 + - account_disable_post_pw_expiration + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure All Accounts on the System Have Unique Names + Ensure accounts on the system have unique names. + +To ensure all accounts have unique names, run the following command: +$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d +If a username is returned, change or delete the username. + 5.5.2 + CCI-000770 + CCI-000804 + Req-8.1.1 + Unique usernames allow for accountability on the system. + + + + + + + + + + + Secure Session Configuration Files for Login Accounts + When a user logs into a Unix account, the system +configures the user's session by reading a number of files. Many of +these files are located in the user's home directory, and may have +weak permissions as a result of user error or misconfiguration. If +an attacker can modify or even read certain types of account +configuration information, they can often gain full access to the +affected user's account. Therefore, it is important to test and +correct configuration file permissions for interactive accounts, +particularly those of privileged users such as root or system +administrators. + + Maximum login attempts delay + Maximum time in seconds between fail login attempts before re-prompting. + 1 + 2 + 3 + 4 + 5 + 4 + + + Maximum concurrent login sessions + Maximum number of concurrent sessions by a user + 1 + 10 + 15 + 20 + 3 + 5 + 1 + + + Account Inactivity Timeout (minutes) + In an interactive shell, the value is interpreted as the +number of seconds to wait for input after issuing the primary prompt. +Bash terminates after waiting for that number of seconds if input does +not arrive. + 1800 + 600 + 900 + 300 + 600 + + + Configure Polyinstantiation of /tmp Directories + To configure polyinstantiated /tmp directories, first create the parent directories +which will hold the polyinstantiation child directories. Use the following command: +$ sudo mkdir --mode 000 /tmp/tmp-inst +Then, add the following entry to /etc/security/namespace.conf: +/tmp /tmp/tmp-inst/ level root,adm + BP28(R39) + Polyinstantiation of temporary directories is a proactive security measure +which reduces chances of attacks that are made possible by /tmp +directories being world-writable. + if ! [ -d /tmp/tmp-inst ] ; then + mkdir --mode 000 /tmp/tmp-inst +fi +chmod 000 /tmp/tmp-inst +chcon --reference=/tmp /tmp/tmp-inst + +if ! grep -Eq '^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then + if grep -Eq '^\s*/tmp\s+' /etc/security/namespace.conf ; then + sed -i '/^\s*\/tmp/d' /etc/security/namespace.conf + fi + echo "/tmp /tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf +fi + + - name: Create /tmp/tmp-inst directory + file: + path: /tmp/tmp-inst + state: directory + mode: '000' + seuser: system_u + serole: object_r + setype: tmp_t + tags: + - accounts_polyinstantiated_tmp + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + +- name: Make changes to /etc/security/namespace.conf + lineinfile: + path: /etc/security/namespace.conf + create: false + regexp: ^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$ + line: /tmp /tmp/tmp-inst/ level root,adm + state: present + tags: + - accounts_polyinstantiated_tmp + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure the Logon Failure Delay is Set Correctly in login.defs + To ensure the logon failure delay controlled by /etc/login.defs is set properly, +add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: +FAIL_DELAY + CCI-000366 + AC-7(b) + CM-6(a) + PR.IP-1 + SRG-OS-000480-GPOS-00226 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Increasing the time between a failed authentication attempt and re-prompting to +enter credentials helps to slow a single-threaded brute force attack. + + + + + + + + + + + Limit the Number of Concurrent Login Sessions Allowed Per User + Limiting the number of allowed users and sessions per user can limit risks related to Denial of +Service attacks. This addresses concurrent sessions for a single account and does not address +concurrent sessions by a single user via multiple accounts. To set the number of concurrent +sessions per user add the following line in /etc/security/limits.conf or +a file under /etc/security/limits.d/: +* hard maxlogins + 5.5.2.2 + CCI-000054 + AC-10 + CM-6(a) + PR.AC-5 + SRG-OS-000027-GPOS-00008 + SRG-OS-000027-VMM-000080 + SR 3.1 + SR 3.8 + 4.3.3.4 + DSS01.05 + DSS05.02 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.14.1.2 + A.14.1.3 + 14 + 15 + 18 + 9 + Limiting simultaneous user logins can insulate the system from denial of service +problems caused by excessive logins. Automated login processes operating improperly or +maliciously may result in an exceptional number of simultaneous login sessions. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-10 + - NIST-800-53-CM-6(a) + - accounts_max_concurrent_login_sessions + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_max_concurrent_login_sessions # promote to variable + set_fact: + var_accounts_max_concurrent_login_sessions: !!str + tags: + - always + +- name: Find /etc/security/limits.d files containing maxlogins configuration + find: + paths: /etc/security/limits.d + contains: ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins + patterns: '*.conf' + register: maxlogins + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-10 + - NIST-800-53-CM-6(a) + - accounts_max_concurrent_login_sessions + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + +- name: Limit the Number of Concurrent Login Sessions Allowed Per User in files from + limits.d + replace: + dest: '{{ item.path }}' + regexp: ^#?\*.*maxlogins.* + replace: '* hard maxlogins {{ var_accounts_max_concurrent_login_sessions + }}' + with_items: + - '{{ maxlogins.files }}' + when: '"pam" in ansible_facts.packages' + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-10 + - NIST-800-53-CM-6(a) + - accounts_max_concurrent_login_sessions + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + +- name: Limit the Number of Concurrent Login Sessions Allowed Per User + lineinfile: + state: present + dest: /etc/security/limits.conf + insertbefore: ^# End of file + regexp: ^#?\*.*maxlogins + line: '* hard maxlogins {{ var_accounts_max_concurrent_login_sessions + }}' + create: true + when: + - '"pam" in ansible_facts.packages' + - maxlogins.matched == 0 + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-10 + - NIST-800-53-CM-6(a) + - accounts_max_concurrent_login_sessions + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure that User Home Directories are not Group-Writable or World-Readable + For each human user of the system, view the +permissions of the user's home directory: +# ls -ld /home/USER +Ensure that the directory is not group-writable and that it +is not world-readable. If necessary, repair the permissions: +# chmod g-w /home/USER +# chmod o-rwx /home/USER + This action may involve modifying user home directories. +Notify your user community, and solicit input if appropriate, +before making this type of change. + CCI-000225 + CM-6(a) + AC-6(1) + CM-6(a) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + User home directories contain many configuration files which +affect the behavior of a user's account. No user should ever have +write permission to another user's home directory. Group shared +directories can be configured in sub-directories or elsewhere in the +filesystem if they are needed. Typically, user home directories +should not be world-readable, as it would disclose file names +to other users. If a subset of users need read access +to one another's home directories, this can be provided using +groups or ACLs. + + + + + + + + + Ensure Home Directories are Created for New Users + All local interactive user accounts, upon creation, should be assigned a home directory. + +Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME +parameter in /etc/login.defs to yes as follows: + +CREATE_HOME yes + CCI-000366 + SRG-OS-000480-GPOS-00227 + If local interactive users are not assigned a valid home directory, there is no place +for the storage and control of files they should own. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q login; then + +if [ -e "/etc/login.defs" ] ; then + LC_ALL=C sed -i "/^\s*CREATE_HOME\s\+/Id" "/etc/login.defs" +else + touch "/etc/login.defs" +fi +cp "/etc/login.defs" "/etc/login.defs.bak" +# Insert before the line matching the regex '^\s*CREATE_HOME'. +line_number="$(LC_ALL=C grep -n "^\s*CREATE_HOME" "/etc/login.defs.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^\s*CREATE_HOME', insert at + # the end of the file. + printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" +else + head -n "$(( line_number - 1 ))" "/etc/login.defs.bak" > "/etc/login.defs" + printf '%s\n' "CREATE_HOME yes" >> "/etc/login.defs" + tail -n "+$(( line_number ))" "/etc/login.defs.bak" >> "/etc/login.defs" +fi +# Clean up after ourselves. +rm "/etc/login.defs.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - accounts_have_homedir_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure new users receive home directories + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/login.defs + create: false + regexp: ^\s*CREATE_HOME\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/login.defs + lineinfile: + path: /etc/login.defs + create: false + regexp: ^\s*CREATE_HOME\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/login.defs + lineinfile: + path: /etc/login.defs + create: true + regexp: ^\s*CREATE_HOME\s+ + line: CREATE_HOME yes + state: present + when: '"login" in ansible_facts.packages' + tags: + - accounts_have_homedir_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Configure Polyinstantiation of /var/tmp Directories + To configure polyinstantiated /tmp directories, first create the parent directories +which will hold the polyinstantiation child directories. Use the following command: +$ sudo mkdir --mode 000 /var/tmp/tmp-inst +Then, add the following entry to /etc/security/namespace.conf: +/var/tmp /var/tmp/tmp-inst/ level root,adm + BP28(R39) + Polyinstantiation of temporary directories is a proactive security measure +which reduces chances of attacks that are made possible by /var/tmp +directories being world-writable. + if ! [ -d /tmp-inst ] ; then + mkdir --mode 000 /var/tmp/tmp-inst +fi +chmod 000 /var/tmp/tmp-inst +chcon --reference=/var/tmp/ /var/tmp/tmp-inst + +if ! grep -Eq '^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$' /etc/security/namespace.conf ; then + if grep -Eq '^\s*/var/tmp\s+' /etc/security/namespace.conf ; then + sed -i '/^\s*\/var\/tmp/d' /etc/security/namespace.conf + fi + echo "/var/tmp /var/tmp/tmp-inst/ level root,adm" >> /etc/security/namespace.conf +fi + + - name: Create /var/tmp/tmp-inst directory + file: + path: /var/tmp/tmp-inst + state: directory + mode: '000' + seuser: system_u + serole: object_r + setype: tmp_t + tags: + - accounts_polyinstantiated_var_tmp + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + +- name: Make changes to /etc/security/namespace.conf + lineinfile: + path: /etc/security/namespace.conf + create: false + regexp: ^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$ + line: /var/tmp /var/tmp/tmp-inst/ level root,adm + state: present + tags: + - accounts_polyinstantiated_var_tmp + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Set Interactive Session Timeout + Setting the TMOUT option in /etc/profile ensures that +all user sessions will terminate based on inactivity. The TMOUT + +setting in a file loaded by /etc/profile, e.g. +/etc/profile.d/tmout.sh should read as follows: +TMOUT= + 3.1.11 + CCI-000057 + CCI-001133 + CCI-002361 + AC-12 + SC-10 + AC-2(5) + CM-6(a) + PR.AC-7 + FMT_MOF_EXT.1 + SRG-OS-000163-GPOS-00072 + SRG-OS-000029-GPOS-00010 + SRG-OS-000163-VMM-000700 + SRG-OS-000279-VMM-001010 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + BP28(R29) + Terminating an idle session within a short time period reduces +the window of opportunity for unauthorized personnel to take control of a +management session enabled on the console or console port that has been +left unattended. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_accounts_tmout="" + + + +# if 0, no occurence of tmout found, if 1, occurence found +tmout_found=0 + +for f in /etc/profile /etc/profile.d/*.sh; do + if grep --silent '^\s*TMOUT' $f; then + sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" $f + $tmout_found=1 + fi +done + +if [ $tmout_found -eq 0 ]; then + echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/tmout.sh + echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/tmout.sh +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_accounts_tmout # promote to variable + set_fact: + var_accounts_tmout: !!str + tags: + - always + +- name: Set Interactive Session Timeout + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/profile.d/tmout.sh + create: false + regexp: ^\s*TMOUT= + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/profile.d/tmout.sh + lineinfile: + path: /etc/profile.d/tmout.sh + create: false + regexp: ^\s*TMOUT= + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/profile.d/tmout.sh + lineinfile: + path: /etc/profile.d/tmout.sh + create: true + regexp: ^\s*TMOUT= + line: TMOUT={{ var_accounts_tmout }} + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - accounts_tmout + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure that No Dangerous Directories Exist in Root's Path + The active path of the root account can be obtained by +starting a new root shell and running: +# echo $PATH +This will produce a colon-separated list of +directories in the path. + +Certain path elements could be considered dangerous, as they could lead +to root executing unknown or +untrusted programs, which could contain malicious +code. +Since root may sometimes work inside +untrusted directories, the . character, which represents the +current directory, should never be in the root path, nor should any +directory which can be written to by an unprivileged or +semi-privileged (system) user. + +It is a good practice for administrators to always execute +privileged commands by typing the full path to the +command. + + Ensure that Root's Path Does Not Include Relative Paths or Null Directories + Ensure that none of the directories in root's path is equal to a single +. character, or +that it contains any instances that lead to relative path traversal, such as +.. or beginning a path without the slash (/) character. +Also ensure that there are no "empty" elements in the path, such as in these examples: +PATH=:/bin +PATH=/bin: +PATH=/bin::/sbin +These empty elements have the same effect as a single . character. + CCI-000366 + CM-6(a) + CM-6(a) + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + PR.IP-1 + Including these entries increases the risk that root could +execute code from an untrusted location. + + + + + + Ensure that Root's Path Does Not Include World or Group-Writable Directories + For each element in root's path, run: +# ls -ld DIR +and ensure that write permissions are disabled for group and +other. + CCI-000366 + CM-6(a) + CM-6(a) + PR.IP-1 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Such entries increase the risk that root could +execute code provided by unprivileged users, +and potentially malicious code. + - name: Print error message if user is not root + fail: + msg: Root account required to read root $PATH + when: ansible_user != "root" + ignore_errors: true + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - accounts_root_path_dirs_no_write + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Get root paths which are not symbolic links + stat: + path: '{{ item }}' + changed_when: false + failed_when: false + register: root_paths + with_items: '{{ ansible_env.PATH.split('':'') }}' + when: ansible_user == "root" + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - accounts_root_path_dirs_no_write + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Disable writability to root directories + file: + path: '{{ item.item }}' + mode: g-w,o-w + with_items: '{{ root_paths.results }}' + when: + - root_paths.results is defined + - item.stat.exists + - not item.stat.islnk + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - accounts_root_path_dirs_no_write + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure that Users Have Sensible Umask Values + The umask setting controls the default permissions +for the creation of new files. +With a default umask setting of 077, files and directories +created by users will not be readable by any other user on the +system. Users who wish to make specific files group- or +world-readable can accomplish this by using the chmod command. +Additionally, users can make all their files readable to their +group by default by setting a umask of 027 in their shell +configuration files. If default per-user groups exist (that is, if +every user has a default group whose name is the same as that +user's username and whose only member is the user), then it may +even be safe for users to select a umask of 007, making it very +easy to intentionally share files with groups of which the user is +a member. + + + Sensible umask + Enter default user umask + 007 + 022 + 027 + 077 + 027 + + + Ensure the Default Umask is Set Correctly in login.defs + To ensure the default umask controlled by /etc/login.defs is set properly, +add or correct the UMASK setting in /etc/login.defs to read as follows: +UMASK + CCI-000366 + AC-6(1) + CM-6(a) + PR.IP-1 + PR.IP-2 + SRG-OS-000480-GPOS-00228 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI03.01 + BAI03.02 + BAI03.03 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.1.1 + A.14.2.1 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.14.2.5 + A.6.1.5 + 11 + 18 + 3 + 9 + BP28(R35) + The umask value influences the permissions assigned to files when they are created. +A misconfigured umask value could result in files with excessive permissions that can be read and +written to by unauthorized users. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - accounts_umask_etc_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy +- name: XCCDF Value var_accounts_user_umask # promote to variable + set_fact: + var_accounts_user_umask: !!str + tags: + - always + +- name: Ensure the Default UMASK is Set Correctly + lineinfile: + create: true + dest: /etc/login.defs + regexp: ^UMASK + line: UMASK {{ var_accounts_user_umask }} + when: '"login" in ansible_facts.packages' + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - accounts_umask_etc_login_defs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Ensure the Default Umask is Set Correctly in /etc/profile + To ensure the default umask controlled by /etc/profile is set properly, +add or correct the umask setting in /etc/profile to read as follows: +umask + CCI-000366 + AC-6(1) + CM-6(a) + PR.IP-2 + 4.3.4.3.3 + APO13.01 + BAI03.01 + BAI03.02 + BAI03.03 + A.14.1.1 + A.14.2.1 + A.14.2.5 + A.6.1.5 + 18 + BP28(R35) + SRG-OS-000480-GPOS-00228 + The umask value influences the permissions assigned to files when they are created. +A misconfigured umask value could result in files with excessive permissions that can be read or +written to by unauthorized users. + - name: XCCDF Value var_accounts_user_umask # promote to variable + set_fact: + var_accounts_user_umask: !!str + tags: + - always + +- name: Set user umask in /etc/profile + replace: + path: /etc/profile + regexp: umask.* + replace: umask {{ var_accounts_user_umask }} + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - accounts_umask_etc_profile + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - unknown_severity + + + + + + + + + + + + + + System Accounting with auditd + The audit service provides substantial capabilities +for recording system activities. By default, the service audits about +SELinux AVC denials and certain types of security-relevant events +such as system logins, account modifications, and authentication +events performed by programs such as sudo. +Under its default configuration, auditd has modest disk space +requirements, and should not noticeably impact system performance. + +NOTE: The Linux Audit daemon auditd can be configured to use +the augenrules program to read audit rules files (*.rules) +located in /etc/audit/rules.d location and compile them to create +the resulting form of the /etc/audit/audit.rules configuration file +during the daemon startup (default configuration). Alternatively, the auditd +daemon can use the auditctl utility to read audit rules from the +/etc/audit/audit.rules configuration file during daemon startup, +and load them into the kernel. The expected behavior is configured via the +appropriate ExecStartPost directive setting in the +/usr/lib/systemd/system/auditd.service configuration file. +To instruct the auditd daemon to use the augenrules program +to read audit rules (default configuration), use the following setting: + ExecStartPost=-/sbin/augenrules --load +in the /usr/lib/systemd/system/auditd.service configuration file. +In order to instruct the auditd daemon to use the auditctl +utility to read audit rules, use the following setting: + ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +in the /usr/lib/systemd/system/auditd.service configuration file. +Refer to [Service] section of the /usr/lib/systemd/system/auditd.service +configuration file for further details. + +Government networks often have substantial auditing +requirements and auditd can be configured to meet these +requirements. +Examining some example audit records demonstrates how the Linux audit system +satisfies common requirements. +The following example from Fedora Documentation available at +https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Troubleshooting-Fixing_Problems.html#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages +shows the substantial amount of information captured in a +two typical "raw" audit messages, followed by a breakdown of the most important +fields. In this example the message is SELinux-related and reports an AVC +denial (and the associated system call) that occurred when the Apache HTTP +Server attempted to access the /var/www/html/file1 file (labeled with +the samba_share_t type): +type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" +path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 +tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file + +type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 +a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48 +gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" +exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) + +msg=audit(1226874073.147:96)The number in parentheses is the unformatted time stamp (Epoch time) +for the event, which can be converted to standard time by using the +date command. +{ getattr }The item in braces indicates the permission that was denied. getattr +indicates the source process was trying to read the target file's status information. +This occurs before reading files. This action is denied due to the file being +accessed having the wrong label. Commonly seen permissions include getattr, +read, and write.comm="httpd"The executable that launched the process. The full path of the executable is +found in the exe= section of the system call (SYSCALL) message, +which in this case, is exe="/usr/sbin/httpd". +path="/var/www/html/file1"The path to the object (target) the process attempted to access. +scontext="unconfined_u:system_r:httpd_t:s0"The SELinux context of the process that attempted the denied action. In +this case, it is the SELinux context of the Apache HTTP Server, which is running +in the httpd_t domain. +tcontext="unconfined_u:object_r:samba_share_t:s0"The SELinux context of the object (target) the process attempted to access. +In this case, it is the SELinux context of file1. Note: the samba_share_t +type is not accessible to processes running in the httpd_t domain. From the system call (SYSCALL) message, two items are of interest: +success=no: indicates whether the denial (AVC) was enforced or not. +success=no indicates the system call was not successful (SELinux denied +access). success=yes indicates the system call was successful - this can +be seen for permissive domains or unconfined domains, such as initrc_t +and kernel_t. +exe="/usr/sbin/httpd": the full path to the executable that launched +the process, which in this case, is exe="/usr/sbin/httpd". + + + + + Install audispd-plugins Package + The audispd-plugins package can be installed with the following command: + +$ sudo dnf install audispd-plugins + SRG-OS-000342-GPOS-00133 + FMT_SMF_EXT.1 + audispd-plugins provides plugins for the real-time interface to the +audit subsystem, audispd. These plugins can do things like relay events +to remote machines or analyze events for suspicious behavior. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audispd-plugins" ; then + dnf install -y "audispd-plugins" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure audispd-plugins is installed + package: + name: audispd-plugins + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_audispd-plugins_installed + + include install_audispd-plugins + +class install_audispd-plugins { + package { 'audispd-plugins': + ensure => 'installed', + } +} + + +package --add=audispd-plugins + + +[[packages]] +name = "audispd-plugins" +version = "*" + + + + + + + + + + Ensure the default plugins for the audit dispatcher are Installed + The audit-audispd-plugins package should be installed. + SRG-OS-000342-GPOS-00133 + CCI-001851 + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audit-audispd-plugins" ; then + dnf install -y "audit-audispd-plugins" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure audit-audispd-plugins is installed + package: + name: audit-audispd-plugins + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_audit-audispd-plugins_installed + + include install_audit-audispd-plugins + +class install_audit-audispd-plugins { + package { 'audit-audispd-plugins': + ensure => 'installed', + } +} + + +package --add=audit-audispd-plugins + + +[[packages]] +name = "audit-audispd-plugins" +version = "*" + + + + + + + + + + Ensure the audit Subsystem is Installed + The audit package should be installed. + AC-7(a) + AU-7(1) + AU-7(2) + AU-14 + AU-12(2) + AU-2(a) + CM-6(a) + BP28(R50) + SRG-OS-000122-GPOS-00063 + SRG-OS-000337-GPOS-00129 + SRG-OS-000348-GPOS-00136 + SRG-OS-000349-GPOS-00137 + SRG-OS-000350-GPOS-00138 + SRG-OS-000351-GPOS-00139 + SRG-OS-000352-GPOS-00140 + SRG-OS-000353-GPOS-00141 + SRG-OS-000354-GPOS-00142 + SRG-OS-000358-GPOS-00145 + SRG-OS-000359-GPOS-00146 + SRG-OS-000365-GPOS-00152 + SRG-OS-000474-GPOS-00219 + SRG-OS-000475-GPOS-00220 + SRG-OS-000480-GPOS-00227 + SRG-OS-000062-GPOS-00031 + CCI-000172 + CCI-001814 + CCI-001875 + CCI-001877 + CCI-001878 + CCI-001879 + CCI-001880 + CCI-001881 + CCI-001882 + CCI-001889 + CCI-001914 + CCI-000169 + The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "audit" ; then + dnf install -y "audit" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure audit is installed + package: + name: audit + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-7(a) + - NIST-800-53-AU-12(2) + - NIST-800-53-AU-14 + - NIST-800-53-AU-2(a) + - NIST-800-53-AU-7(1) + - NIST-800-53-AU-7(2) + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_audit_installed + + include install_audit + +class install_audit { + package { 'audit': + ensure => 'installed', + } +} + + +package --add=audit + + +[[packages]] +name = "audit" +version = "*" + + + + + + + + + + Enable auditd Service + The auditd service is an essential userspace component of +the Linux Auditing System, as it is responsible for writing audit records to +disk. + +The auditd service can be enabled with the following command: +$ sudo systemctl enable auditd.service + 5.4.1.1 + 3.3.1 + 3.3.2 + 3.3.6 + CCI-000126 + CCI-000130 + CCI-000131 + CCI-000132 + CCI-000133 + CCI-000134 + CCI-000135 + CCI-000154 + CCI-000158 + CCI-000366 + CCI-001464 + CCI-001487 + CCI-001814 + CCI-001876 + CCI-002884 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(5)(ii)(C) + 164.310(a)(2)(iv) + 164.310(d)(2)(iii) + 164.312(b) + AC-2(g) + AU-3 + AU-10 + AU-2(d) + AU-12(c) + AU-14(1) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000038-GPOS-00016 + SRG-OS-000039-GPOS-00017 + SRG-OS-000040-GPOS-00018 + SRG-OS-000041-GPOS-00019 + SRG-OS-000042-GPOS-00021 + SRG-OS-000051-GPOS-00024 + SRG-OS-000054-GPOS-00025 + SRG-OS-000122-GPOS-00063 + SRG-OS-000254-GPOS-00095 + SRG-OS-000255-GPOS-00096 + SRG-OS-000365-GPOS-00152 + SRG-OS-000392-GPOS-00172 + SRG-OS-000480-GPOS-00227 + SRG-OS-000062-GPOS-00031 + SRG-OS-000037-VMM-000150 + SRG-OS-000063-VMM-000310 + SRG-OS-000038-VMM-000160 + SRG-OS-000039-VMM-000170 + SRG-OS-000040-VMM-000180 + SRG-OS-000041-VMM-000190 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Without establishing what type of events occurred, it would be difficult +to establish, correlate, and investigate the events leading up to an outage or attack. +Ensuring the auditd service is active ensures audit records +generated by the kernel are appropriately recorded. + +Additionally, a properly configured audit subsystem ensures that actions of +individual system users can be uniquely traced to those users so they +can be held accountable for their actions. + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'auditd.service' +"$SYSTEMCTL_EXEC" start 'auditd.service' +"$SYSTEMCTL_EXEC" enable 'auditd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service auditd + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service auditd + service: + name: auditd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"audit" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-171-3.3.2 + - NIST-800-171-3.3.6 + - NIST-800-53-AC-2(g) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-10 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-14(1) + - NIST-800-53-AU-2(d) + - NIST-800-53-AU-3 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_auditd_enabled + + include enable_auditd + +class enable_auditd { + service {'auditd': + enable => true, + ensure => 'running', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: auditd.service + enabled: true + + + + + + + + + + Extend Audit Backlog Limit for the Audit Daemon + To improve the kernel capacity to queue all log events, even those which occurred +prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default +GRUB 2 command line for the Linux operating system in +/etc/default/grub, in the manner below: +GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command as root: +~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: + +~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + SRG-OS-000254-GPOS-00095 + SRG-OS-000341-GPOS-00132 + CM-6(a) + CCI-001849 + audit_backlog_limit sets the queue length for audit events awaiting transfer +to the audit daemon. Until the audit daemon is up and running, all log messages +are stored in this queue. If the queue is overrun during boot process, the action +defined by audit failure flag is taken. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?audit_backlog_limit=8192(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - grub2_audit_backlog_limit_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - grub2_audit_backlog_limit_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} audit_backlog_limit=8192" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$', + multiline=True) is none + tags: + - NIST-800-53-CM-6(a) + - grub2_audit_backlog_limit_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Enable Auditing for Processes Which Start Prior to the Audit Daemon + To ensure all processes can be audited, even those which start +prior to the audit daemon, add the argument audit=1 to the default +GRUB 2 command line for the Linux operating system in + +/boot/grub2/grubenv, in the manner below: +# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command as root: +~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: + +~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + 5.4.1.1 + 3.3.1 + CCI-001464 + CCI-000130 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(5)(ii)(C) + 164.310(a)(2)(iv) + 164.310(d)(2)(iii) + 164.312(b) + AC-17(1) + AU-14(1) + AU-10 + CM-6(a) + IR-5(1) + DE.AE-3 + DE.AE-5 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + SRG-OS-000254-VMM-000880 + Req-10.3 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + SRG-OS-000254-GPOS-00095 + SRG-OS-000062-GPOS-00031 + Each process on the system carries an "auditable" flag which indicates whether +its activities can be audited. Although auditd takes care of enabling +this for all processes which launch after it does, adding the kernel argument +ensures it is set for every process during boot. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?audit=1(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} audit=1" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?audit=1(?:\s.*)?$', multiline=True) + is none + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AC-17(1) + - NIST-800-53-AU-10 + - NIST-800-53-AU-14(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-IR-5(1) + - PCI-DSS-Req-10.3 + - grub2_audit_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Configure auditd Rules for Comprehensive Auditing + The auditd program can perform comprehensive +monitoring of system activity. This section describes recommended +configuration settings for comprehensive auditing, but a full +description of the auditing system's capabilities is beyond the +scope of this guide. The mailing list linux-audit@redhat.com exists +to facilitate community discussion of the auditing system. + +The audit subsystem supports extensive collection of events, including: + +Tracing of arbitrary system calls (identified by name or number) +on entry or exit.Filtering by PID, UID, call success, system call argument (with +some limitations), etc.Monitoring of specific files for modifications to the file's +contents or metadata. + +Auditing rules at startup are controlled by the file /etc/audit/audit.rules. +Add rules to it to meet the auditing requirements for your organization. +Each line in /etc/audit/audit.rules represents a series of arguments +that can be passed to auditctl and can be individually tested +during runtime. See documentation in /usr/share/doc/audit-VERSION and +in the related man pages for more details. + +If copying any example audit rulesets from /usr/share/doc/audit-VERSION, +be sure to comment out the +lines containing arch= which are not appropriate for your system's +architecture. Then review and understand the following rules, +ensuring rules are activated as needed for the appropriate +architecture. + +After reviewing all the rules, reading the following sections, and +editing as needed, the new rules can be activated as follows: +$ sudo service auditd restart + + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/shadow.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit openat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/shadow.* + patterns: '*.rules' + register: find_openat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_openat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/shadow.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/shadow.* + patterns: '*.rules' + register: find_open + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects System Administrator Actions + At a minimum, the audit system should collect administrator actions +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/sudoers -p wa -k actions +-w /etc/sudoers.d/ -p wa -k actions +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/sudoers -p wa -k actions +-w /etc/sudoers.d/ -p wa -k actions + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(7)(b) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.2 + Req-10.2.5.b + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000462-VMM-001840 + SRG-OS-000471-VMM-001910 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The actions taken by system administrators should be audited to keep a record +of what was executed on the system, as well as, for accountability purposes. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" +fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" + +fix_audit_watch_rule "auditctl" "/etc/sudoers.d/" "wa" "actions" +fix_audit_watch_rule "augenrules" "/etc/sudoers.d/" "wa" "actions" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries for sysadmin actions + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*/etc/sudoers.*$ + patterns: '*.rules' + register: find_audit_sysadmin_actions + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - /etc/audit/rules.d/actions.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_sysadmin_actions_files: + - '{{ find_audit_sysadmin_actions.files | map(attribute=''path'') | list | first + }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_audit_sysadmin_actions.matched is defined and find_audit_sysadmin_actions.matched + > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces audit rule for /etc/sudoers rule in rules.d + lineinfile: + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers -p wa -k actions + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces audit rule for /etc/sudoers.d rule in rules.d + lineinfile: + path: '{{ all_sysadmin_actions_files[0] }}' + line: -w /etc/sudoers.d/ -p wa -k actions + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces audit rule for /etc/sudoers in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -w /etc/sudoers -p wa -k actions + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces audit rule for /etc/sudoers.d in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -w /etc/sudoers.d/ -p wa -k actions + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(7)(b) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - PCI-DSS-Req-10.2.5.b + - audit_rules_sysadmin_actions + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A + mode: 0600 + path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules + overwrite: true + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/passwd.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit openat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/passwd.* + patterns: '*.rules' + register: find_openat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_openat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information - /etc/shadow + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: + +-w /etc/shadow -p wa -k audit_rules_usergroup_modification + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: + +-w /etc/shadow -p wa -k audit_rules_usergroup_modification + 5.4.1.1 + 3.1.7 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-001683 + CCI-001684 + CCI-001685 + CCI-001686 + CCI-002130 + CCI-002132 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.5 + SRG-OS-000004-GPOS-00004 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000476-GPOS-00221 + SRG-OS-000004-VMM-000040 + SRG-OS-000239-VMM-000810 + SRG-OS-000240-VMM-000820 + SRG-OS-000241-VMM-000830 + SRG-OS-000274-VMM-000960 + SRG-OS-000275-VMM-000970 + SRG-OS-000276-VMM-000980 + SRG-OS-000277-VMM-000990 + SRG-OS-000303-VMM-001090 + SRG-OS-000304-VMM-001100 + SRG-OS-000476-VMM-001960 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + In addition to auditing new user and group accounts, these watches +will alert the system administrator(s) to any modifications. Any unexpected +users, groups, or modifications should be investigated for legitimacy. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" +fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit shadow tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_shadow + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_shadow.matched is defined and find_shadow.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_shadow.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_shadow.matched is defined and find_shadow.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the shadow rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the shadow rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/shadow -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_shadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Access Events to Audit Log Directory + The audit system should collect access events to read audit log directory. +The following audit rule will assure that access to audit log directory are +collected. +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rule to a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rule to +/etc/audit/audit.rules file. + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise.' + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/var/log/audit/\\s\\+.*" +GROUP="access-audit-trail" +FULL_RULE="-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*dir=/var/log/audit/.*$ + patterns: '*.rules' + register: find_var_log_audit + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/access-audit-trail.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access-audit-trail.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_var_log_audit.matched == 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_var_log_audit.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_var_log_audit.matched > 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the /var/log/audit/ rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset + -F key=access-audit-trail + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the /var/log/audit/ rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset + -F key=access-audit-trail + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - directory_access_var_log_audit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information - /etc/group + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: + +-w /etc/group -p wa -k audit_rules_usergroup_modification + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: + +-w /etc/group -p wa -k audit_rules_usergroup_modification + 5.4.1.1 + 3.1.7 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-001683 + CCI-001684 + CCI-001685 + CCI-001686 + CCI-002130 + CCI-002132 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.5 + SRG-OS-000004-GPOS-00004 + SRG-OS-000004-VMM-000040 + SRG-OS-000239-VMM-000810 + SRG-OS-000240-VMM-000820 + SRG-OS-000241-VMM-000830 + SRG-OS-000274-VMM-000960 + SRG-OS-000275-VMM-000970 + SRG-OS-000276-VMM-000980 + SRG-OS-000277-VMM-000990 + SRG-OS-000303-VMM-001090 + SRG-OS-000304-VMM-001100 + SRG-OS-000476-VMM-001960 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + In addition to auditing new user and group accounts, these watches +will alert the system administrator(s) to any modifications. Any unexpected +users, groups, or modifications should be investigated for legitimacy. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" +fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit group tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_group + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_group.matched is defined and find_group.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_group.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_group.matched is defined and find_group.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the group rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/group -p wa -k audit_rules_usergroup_modification + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the group rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/group -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_group + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + System Audit Logs Must Be Owned By Root + All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/. + +To properly set the owner of /var/log/audit, run the command: +$ sudo chown root /var/log/audit + +To properly set the owner of /var/log/audit/*, run the command: +$ sudo chown root /var/log/audit/* + 5.4.1.1 + 3.3.1 + CCI-000162 + CCI-000163 + CCI-000164 + CCI-001314 + CM-6(a) + AC-6(1) + AU-9(4) + DE.AE-3 + DE.AE-5 + PR.AC-4 + PR.DS-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.5.1 + SRG-OS-000057-GPOS-00027 + SRG-OS-000058-GPOS-00028 + SRG-OS-000059-GPOS-00029 + SRG-OS-000206-GPOS-00084 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 5.2 + SR 6.1 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.7.3 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + DSS06.02 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + Unauthorized disclosure of audit records can reveal system and configuration data to +attackers, thus compromising its confidentiality. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') + if ! [ "${GROUP}" == 'root' ] ; then + chown root.${GROUP} /var/log/audit + chown root.${GROUP} /var/log/audit/audit.log* + else + chown root.root /var/log/audit + chown root.root /var/log/audit/audit.log* + fi +else + chown root.root /var/log/audit + chown root.root /var/log/audit/audit.log* +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Events that Modify the System's Network Environment + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification +-w /etc/issue -p wa -k audit_rules_networkconfig_modification +-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification +-w /etc/hosts -p wa -k audit_rules_networkconfig_modification +-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification +-w /etc/issue -p wa -k audit_rules_networkconfig_modification +-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification +-w /etc/hosts -p wa -k audit_rules_networkconfig_modification +-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + 5.4.1.1 + 3.1.7 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.5.5 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The network environment should not be modified by anything other +than administrator action. Any change to network parameters should be +audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" + # Use escaped BRE regex to specify rule group + GROUP="set\(host\|domain\)name" + FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +# Then perform the remediations for the watch rules +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification" +fix_audit_watch_rule "augenrules" "/etc/issue" "wa" "audit_rules_networkconfig_modification" + +fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" +fix_audit_watch_rule "augenrules" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" + +fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" +fix_audit_watch_rule "augenrules" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" + +fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" +fix_audit_watch_rule "augenrules" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Remediate audit rules for network configuration for x86 + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' + }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' + }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Remediate audit rules for network configuration for x86_64 + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' + }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - sethostname + - setdomainname + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_rules_networkconfig_modification' + }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the + recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/issue in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/issue in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the + recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules + lineinfile: + line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the + recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules + lineinfile: + line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the + recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules + lineinfile: + line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_networkconfig_modification + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/gshadow.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/gshadow.* + patterns: '*.rules' + register: find_open + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/passwd.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/passwd.* + patterns: '*.rules' + register: find_open + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on Exporting to Media (successful) + At a minimum, the audit system should collect media exportation +events for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export + 5.4.1.1 + 3.1.7 + CCI-000135 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.7 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The unauthorized exportation of data to external media could result in an information leak +where classified information, Privacy Act information, and intellectual property could be lost. An audit +trail should be created each time a filesystem is mounted to help identify and guard against information +loss. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S mount.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit mount tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_mount + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_mount.matched is defined and find_mount.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_mount.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_mount.matched is defined and find_mount.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the mount rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the mount rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the mount rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the mount rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_media_export + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information - /etc/security/opasswd + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: + +-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: + +-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + 5.4.1.1 + 3.1.7 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-001683 + CCI-001684 + CCI-001685 + CCI-001686 + CCI-002130 + CCI-002132 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.5 + SRG-OS-000004-GPOS-00004 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000463-GPOS-00207 + SRG-OS-000476-GPOS-00221 + SRG-OS-000004-VMM-000040 + SRG-OS-000239-VMM-000810 + SRG-OS-000240-VMM-000820 + SRG-OS-000241-VMM-000830 + SRG-OS-000274-VMM-000960 + SRG-OS-000275-VMM-000970 + SRG-OS-000276-VMM-000980 + SRG-OS-000277-VMM-000990 + SRG-OS-000303-VMM-001090 + SRG-OS-000304-VMM-001100 + SRG-OS-000476-VMM-001960 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + In addition to auditing new user and group accounts, these watches +will alert the system administrator(s) to any modifications. Any unexpected +users, groups, or modifications should be investigated for legitimacy. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" +fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit opasswd tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_opasswd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_opasswd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_opasswd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_opasswd.matched is defined and find_opasswd.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_opasswd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_opasswd.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_opasswd.matched is defined and find_opasswd.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_opasswd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the opasswd rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_opasswd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the opasswd rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_opasswd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Attempts to Alter Process and Session Initiation Information + The audit system already collects process information for all +users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing such process information: +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for attempted manual +edits of files involved in storing such process information: +-w /var/run/utmp -p wa -k session +-w /var/log/btmp -p wa -k session +-w /var/log/wtmp -p wa -k session + 5.4.1.1 + 3.1.7 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.3 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 0582 + 0584 + 05885 + 0586 + 0846 + 0957 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session" +fix_audit_watch_rule "augenrules" "/var/run/utmp" "wa" "session" + +fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session" +fix_audit_watch_rule "augenrules" "/var/log/btmp" "wa" "session" + +fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session" +fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key session + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)session$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/session.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/run/utmp -p wa -k session + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules + lineinfile: + line: -w /var/run/utmp -p wa -k session + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key session + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)session$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/session.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/log/btmp -p wa -k session + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/btmp -p wa -k session + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key session + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)session$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/session.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/log/wtmp -p wa -k session + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/wtmp -p wa -k session + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_session_events + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A + mode: 0600 + path: /etc/audit/rules.d/75-audit-session-events.rules + overwrite: true + + + + + + + System Audit Logs Must Have Mode 0750 or Less Permissive + If log_group in /etc/audit/auditd.conf is set to a group other than the root +group account, change the mode of the audit log files with the following command: +$ sudo chmod 0750 /var/log/audit + +Otherwise, change the mode of the audit log files with the following command: +$ sudo chmod 0700 /var/log/audit + CM-6(a) + AC-6(1) + AU-9 + DE.AE-3 + DE.AE-5 + PR.AC-4 + PR.DS-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 5.2 + SR 6.1 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.7.3 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + DSS06.02 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + SRG-OS-000057-GPOS-00027 + SRG-OS-000058-GPOS-00028 + SRG-OS-000059-GPOS-00029 + CCI-000162 + If users can write to audit logs, audit trails can be modified or destroyed. + + + + + + + + + + Record Events that Modify User/Group Information - /etc/passwd + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: + +-w /etc/passwd -p wa -k audit_rules_usergroup_modification + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: + +-w /etc/passwd -p wa -k audit_rules_usergroup_modification + 5.4.1.1 + 3.1.7 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-001683 + CCI-001684 + CCI-001685 + CCI-001686 + CCI-002130 + CCI-002132 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.5 + SRG-OS-000004-GPOS-00004 + SRG-OS-000239-GPOS-00089 + SRG-OS-000240-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000274-GPOS-00104 + SRG-OS-000275-GPOS-00105 + SRG-OS-000276-GPOS-00106 + SRG-OS-000277-GPOS-00107 + SRG-OS-000303-GPOS-00120 + SRG-OS-000476-GPOS-00221 + SRG-OS-000004-VMM-000040 + SRG-OS-000239-VMM-000810 + SRG-OS-000240-VMM-000820 + SRG-OS-000241-VMM-000830 + SRG-OS-000274-VMM-000960 + SRG-OS-000275-VMM-000970 + SRG-OS-000276-VMM-000980 + SRG-OS-000277-VMM-000990 + SRG-OS-000303-VMM-001090 + SRG-OS-000304-VMM-001100 + SRG-OS-000476-VMM-001960 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + In addition to auditing new user and group accounts, these watches +will alert the system administrator(s) to any modifications. Any unexpected +users, groups, or modifications should be investigated for legitimacy. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" +fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit passwd tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_passwd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_passwd.matched is defined and find_passwd.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_passwd.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_passwd.matched is defined and find_passwd.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the passwd rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the passwd rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/passwd -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_passwd + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: +-w /etc/group -p wa -k audit_rules_usergroup_modification +-w /etc/passwd -p wa -k audit_rules_usergroup_modification +-w /etc/gshadow -p wa -k audit_rules_usergroup_modification +-w /etc/shadow -p wa -k audit_rules_usergroup_modification +-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: +-w /etc/group -p wa -k audit_rules_usergroup_modification +-w /etc/passwd -p wa -k audit_rules_usergroup_modification +-w /etc/gshadow -p wa -k audit_rules_usergroup_modification +-w /etc/shadow -p wa -k audit_rules_usergroup_modification +-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification + This rule checks for multiple syscalls related to account changes; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_usergroup_modification_groupaudit_rules_usergroup_modification_gshadowaudit_rules_usergroup_modification_passwd + 5.4.1.1 + 3.1.7 + CCI-000018 + CCI-000130 + CCI-000172 + CCI-001403 + CCI-002130 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.5 + SRG-OS-000004-GPOS-00004 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000239-GPOS-00089 + SRG-OS-000241-GPOS-00090 + SRG-OS-000241-GPOS-00091 + SRG-OS-000303-GPOS-00120 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000476-GPOS-00221 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + In addition to auditing new user and group accounts, these watches +will alert the system administrator(s) to any modifications. Any unexpected +users, groups, or modifications should be investigated for legitimacy. + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/group + The audit system should collect write events to /etc/group file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/group.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open(,[\S]+)?[\s]+-F[\s]+a1&03[\s]+-F[\s]+path=/etc/group.* + patterns: '*.rules' + register: find_open + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information - /etc/gshadow + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d, in order to capture events that modify +account changes: + +-w /etc/gshadow -p wa -k audit_rules_usergroup_modification + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file, in order to capture events that modify +account changes: + +-w /etc/gshadow -p wa -k audit_rules_usergroup_modification + 5.4.1.1 + 3.1.7 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-001683 + CCI-001684 + CCI-001685 + CCI-001686 + CCI-002130 + CCI-002132 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-1 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.5 + SRG-OS-000004-GPOS-00004 + SRG-OS-000004-VMM-000040 + SRG-OS-000239-VMM-000810 + SRG-OS-000240-VMM-000820 + SRG-OS-000241-VMM-000830 + SRG-OS-000274-VMM-000960 + SRG-OS-000275-VMM-000970 + SRG-OS-000276-VMM-000980 + SRG-OS-000277-VMM-000990 + SRG-OS-000303-VMM-001090 + SRG-OS-000304-VMM-001100 + SRG-OS-000476-VMM-001960 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + In addition to auditing new user and group accounts, these watches +will alert the system administrator(s) to any modifications. Any unexpected +users, groups, or modifications should be investigated for legitimacy. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" +fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit gshadow tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_gshadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k audit_rules_usergroup_modification$ + patterns: '*.rules' + register: find_gshadow + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_gshadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_gshadow.matched is defined and find_gshadow.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_gshadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_gshadow.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_gshadow.matched is defined and find_gshadow.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_gshadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the gshadow rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_gshadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the gshadow rule in /etc/audit/audit.rules + lineinfile: + line: -w /etc/gshadow -p wa -k audit_rules_usergroup_modification + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.5 + - audit_rules_usergroup_modification_gshadow + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + System Audit Logs Must Have Mode 0640 or Less Permissive + If log_group in /etc/audit/auditd.conf is set to a group other than the root +group account, change the mode of the audit log files with the following command: +$ sudo chmod 0640 audit_file + +Otherwise, change the mode of the audit log files with the following command: +$ sudo chmod 0600 audit_file + CCI-000162 + CCI-000163 + CCI-000164 + CCI-001314 + SRG-OS-000057-GPOS-00027 + SRG-OS-000058-GPOS-00028 + SRG-OS-000059-GPOS-00029 + SRG-OS-000206-GPOS-00084 + 5.4.1.1 + 3.3.1 + CM-6(a) + AC-6(1) + AU-9(4) + DE.AE-3 + DE.AE-5 + PR.AC-4 + PR.DS-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.5 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 5.2 + SR 6.1 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.7.3 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + DSS06.02 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + If users can write to audit logs, audit trails can be modified or destroyed. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then + GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') + if ! [ "${GROUP}" == 'root' ] ; then + chmod 0640 /var/log/audit/audit.log + chmod 0440 /var/log/audit/audit.log.* + else + chmod 0600 /var/log/audit/audit.log + chmod 0400 /var/log/audit/audit.log.* + fi +else + chmod 0600 /var/log/audit/audit.log + chmod 0400 /var/log/audit/audit.log.* +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/gshadow.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open_by_handle_at tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/gshadow.* + patterns: '*.rules' + register: find_open_by_handle_at + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first + }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when + on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/gshadow + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/group + The audit system should collect write events to /etc/group file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/group.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit openat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/group.* + patterns: '*.rules' + register: find_openat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_openat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/group -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + The audit system should collect write events to /etc/gshadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=user-modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/gshadow.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit openat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*openat(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/gshadow.* + patterns: '*.rules' + register: find_openat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_openat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F + auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F + auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F + auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F + auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S openat -F a2&03 -F path=/etc/gshadow -F auid>=1000 + -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_gshadow_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + The audit system should collect write events to /etc/passwd file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/passwd.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open_by_handle_at tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/passwd.* + patterns: '*.rules' + register: find_open_by_handle_at + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first + }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when + on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/passwd + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_passwd_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + The audit system should collect write events to /etc/group file for all group and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/group.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open_by_handle_at tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/group.* + patterns: '*.rules' + register: find_open_by_handle_at + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first + }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when + on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/group + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_group_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + The audit system should collect write events to /etc/shadow file for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system. +Auditing these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/shadow.*" + GROUP="modify" + FULL_RULE="-a always,exit -F arch=$ARCH -S open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=modify" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit open_by_handle_at tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: .*open_by_handle_at(,[\S]+)?[\s]+-F[\s]+a2&03[\s]+-F[\s]+path=/etc/shadow.* + patterns: '*.rules' + register: find_open_by_handle_at + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/modify.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modify.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first + }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when + on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=modify + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + regexp: -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=[\S]+ + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F a2&03 -F path=/etc/shadow + -F auid>=1000 -F auid!=unset -F key=modify + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_etc_shadow_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Make the auditd Configuration Immutable + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d in order to make the auditd configuration +immutable: +-e 2 +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file in order to make the auditd configuration +immutable: +-e 2 +With this setting, a reboot will be required to change any audit rules. + 5.4.1.1 + 3.3.1 + 3.4.3 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.310(a)(2)(iv) + 164.312(d) + 164.310(d)(2)(iii) + 164.312(b) + 164.312(e) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + ID.SC-4 + PR.AC-4 + PR.DS-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.5.2 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 5.2 + SR 6.1 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.7.3 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + DSS06.02 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + Making the audit configuration immutable prevents accidental as +well as malicious modification of the audit rules, although it may be +problematic if legitimate changes are needed during system +operation + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Traverse all of: +# +# /etc/audit/audit.rules, (for auditctl case) +# /etc/audit/rules.d/*.rules (for augenrules case) +# +# files to check if '-e .*' setting is present in that '*.rules' file already. +# If found, delete such occurrence since auditctl(8) manual page instructs the +# '-e 2' rule should be placed as the last rule in the configuration +find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' + +# Append '-e 2' requirement at the end of both: +# * /etc/audit/audit.rules file (for auditctl case) +# * /etc/audit/rules.d/immutable.rules (for augenrules case) + +for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" +do + echo '' >> $AUDIT_FILE + echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE + echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE + echo '-e 2' >> $AUDIT_FILE +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Collect all files from /etc/audit/rules.d with .rules extension + find: + paths: /etc/audit/rules.d/ + patterns: '*.rules' + register: find_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Remove the -e option from all Audit config files + lineinfile: + path: '{{ item }}' + regexp: ^\s*(?:-e)\s+.*$ + state: absent + loop: '{{ find_rules_d.files | map(attribute=''path'') | list + [''/etc/audit/audit.rules''] + }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules + lineinfile: + path: '{{ item }}' + create: true + line: -e 2 + loop: + - /etc/audit/audit.rules + - /etc/audit/rules.d/immutable.rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-171-3.4.3 + - NIST-800-53-AC-6(9) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.2 + - audit_rules_immutable + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-e%202%0A + mode: 0600 + path: /etc/audit/rules.d/90-immutable.rules + overwrite: true + + + + + + + Record Events that Modify the System's Mandatory Access Controls + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-w /etc/selinux/ -p wa -k MAC-policy +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/selinux/ -p wa -k MAC-policy + 5.4.1.1 + 3.1.8 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The system's mandatory access policy (SELinux) should not be +arbitrarily changed by anything other than administrator action. All changes to +MAC policy should be audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy" +fix_audit_watch_rule "augenrules" "/etc/selinux/" "wa" "MAC-policy" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key MAC-policy + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)MAC-policy$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use /etc/audit/rules.d/MAC-policy.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/MAC-policy.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /etc/selinux/ in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/selinux/ -p wa -k MAC-policy + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Check if watch rule for /etc/selinux/ already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/selinux/\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Add watch rule for /etc/selinux/ in /etc/audit/audit.rules + lineinfile: + line: -w /etc/selinux/ -p wa -k MAC-policy + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.8 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_mac_modification + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A + mode: 0600 + path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules + overwrite: true + + + + + + + + + + Record Unauthorized Access Attempts Events to Files (unsuccessful) + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. Note that the "-F arch=b32" lines should be +present even on a 64 bit system. These commands identify system calls for +auditing. Even if the system is 64 bit it can still execute 32 bit system +calls. Additionally, these rules can be configured in a number of ways while +still achieving the desired effect. An example of this is that the "-S" calls +could be split up and placed on separate lines, however, this is less efficient. +Add the following to /etc/audit/audit.rules: +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If your system is 64 bit then these lines should be duplicated and the +arch=b32 replaced with arch=b64 as follows: +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access + -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + + + Record Successful Access Attempts to Files - ftruncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File access attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Permission Changes to Files - lsetxattr + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Access Attempts to Files - openat + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S openat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File access attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Permission Changes to Files - lsetxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit lsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lsetxattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessful Access Attempts to Files - truncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit truncate tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_truncate + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_truncate.matched is defined and find_truncate.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_truncate.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_truncate.matched is defined and find_truncate.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the truncate rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the truncate rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the truncate rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the truncate rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_truncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Permission Changes to Files - fchmod + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Access Attempts to Files - creat + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File access attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Creation Attempts to Files - open_by_handle_at O_CREAT + The open_by_handle_at syscall can be used to create new files +when O_CREAT flag is specified. + +The following audit rules will assure that successful attempts to create a +file via open_by_handle_at syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + + +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open_by_handle_at,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + Successful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Permission Changes to Files - fremovexattr + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Permission Changes to Files - setxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit setxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_setxattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setxattr.matched is defined and find_setxattr.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setxattr.matched is defined and find_setxattr.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Creation Attempts to Files - open_by_handle_at O_TRUNC_WRITE + The audit system should collect detailed file access records for +all users and root. The open_by_handle_at syscall can be used to modify +files if called for write operation with the O_TRUNC_WRITE flag. + +The following audit rules will assure that successful attempts to create a +file via open_by_handle_at syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + + +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + Successful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE + The audit system should collect detailed unauthorized file accesses for +all users and root. The open_by_handle_at syscall can be used to modify files +if called for write operation of with O_TRUNC_WRITE flag. + +The following auidt rules will asure that unsuccessful attempts to modify a +file via open_by_handle_at syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Fedora systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE + The audit system should collect detailed unauthorized file accesses for +all users and root. The open syscall can be used to modify files +if called for write operation of with O_TRUNC_WRITE flag. +The following auidt rules will asure that unsuccessful attempts to modify a +file via open syscall are collected. +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Fedora systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + The audit system should collect detailed unauthorized file accesses for +all users and root. The openat syscall can be used to modify files +if called for write operation of with O_TRUNC_WRITE flag. + +The following auidt rules will asure that unsuccessful attempts to modify a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Fedora systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_trunc_write + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Successful Ownership Changes to Files - chown + At a minimum, the audit system should collect file ownership changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File ownership attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + The audit system should collect unauthorized file accesses for +all users and root. The open_by_handle_at syscall can be used to create new files +when O_CREAT flag is specified. + +The following auidt rules will asure that unsuccessful attempts to create a +file via open_by_handle_at syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Fedora systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - fchownat + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchownat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchownat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchownat.matched is defined and find_fchownat.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchownat.matched is defined and find_fchownat.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessul Permission Changes to Files - chmod + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit chmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chmod + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chmod.matched is defined and find_chmod.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chmod.matched is defined and find_chmod.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Access Attempts to Files - open + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S open -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File access attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Delete Attempts to Files - unlink + The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit unlink tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_unlink + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlink.matched is defined and find_unlink.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_unlink.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlink.matched is defined and find_unlink.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Delete Attempts to Files - rename + At a minimum, the audit system should collect file +deletion for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S rename -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File deletion attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Ownership Changes to Files - chown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit chown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chown.matched is defined and find_chown.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chown.matched is defined and find_chown.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Delete Attempts to Files - unlinkat + At a minimum, the audit system should collect file +deletion for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S unlinkat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File deletion attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Creation Attempts to Files - openat O_CREAT + The openat syscall can be used to create new files +when O_CREAT flag is specified. + +The following audit rules will assure that successful attempts to create a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + Successful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE + The audit system should collect detailed file access records for +all users and root. The openat syscall can be used to modify +files if called for write operation with the O_TRUNC_WRITE flag. + +The following audit rules will assure that successful attempts to create a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + + +-a always,exit -F arch=b32 -S openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + Successful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Permission Changes to Files - setxattr + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S setxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File deletion attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Ownership Changes to Files - lchown + At a minimum, the audit system should collect file ownership changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File ownership attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessful Access Attempts to Files - open + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Set architecture for audit open tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_open + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open.matched is defined and find_open.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + The audit system should collect detailed unauthorized file +accesses for all users and root. +To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access +of files via openat syscall the audit rules collecting these events need to be in certain order. +The more specific rules need to come before the less specific rules. The reason for that is that more +specific rules cover a subset of events covered in the less specific rules, thus, they need to come +before to not be overshadowed by less specific rules, which match a bigger set of events. +Make sure that rules for unsuccessful calls of openat syscall are in the order shown below. +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), check the order of +rules below in a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, check the order of rules below in +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The more specific rules cover a subset of events covered by the less specific rules. +By ordering them from more specific to less specific, it is assured that the less specific +rule will not catch events better recorded by the more specific rule. + + + + + + + + + + Record Unsuccessful Access Attempts to Files - ftruncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit ftruncate tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_ftruncate + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_ftruncate.matched is defined and find_ftruncate.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_ftruncate.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_ftruncate.matched is defined and find_ftruncate.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the ftruncate rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the ftruncate rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the ftruncate rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the ftruncate rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_ftruncate + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessul Permission Changes to Files - removexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_removexattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_removexattr.matched is defined and find_removexattr.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_removexattr.matched is defined and find_removexattr.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Access Attempts to Files - truncate + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S truncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File access attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Creation Attempts to Files - open O_TRUNC_WRITE + The audit system should collect detailed file access records for +all users and root. The open syscall can be used to modify +files if called for write operation with the O_TRUNC_WRITE flag. + +The following audit rules will assure that successful attempts to create a +file via open syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + + +-a always,exit -F arch=b32 -S open -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,openat -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + Successful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Permission Changes to Files - fchmod + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmod + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmod.matched is defined and find_fchmod.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmod.matched is defined and find_fchmod.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Delete Attempts to Files - unlink + At a minimum, the audit system should collect file +deletion for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S unlink -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File deletion attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Ownership Changes to Files - lchown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit lchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lchown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lchown.matched is defined and find_lchown.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lchown.matched is defined and find_lchown.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT + The audit system should collect unauthorized file accesses for +all users and root. The openat syscall can be used to create new files +when O_CREAT flag is specified. + +The following auidt rules will asure that unsuccessful attempts to create a +file via openat syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S openat -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Fedora systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat_o_creat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Successful Permission Changes to Files - fchmodat + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmodat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Permission Changes to Files - fsetxattr + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fsetxattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Access Attempts to Files - open_by_handle_at + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File access attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Delete Attempts to Files - renameat + The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit renameat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_renameat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_renameat.matched is defined and find_renameat.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_renameat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_renameat.matched is defined and find_renameat.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + The audit system should collect detailed unauthorized file +accesses for all users and root. +To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access +of files via open syscall the audit rules collecting these events need to be in certain order. +The more specific rules need to come before the less specific rules. The reason for that is that more +specific rules cover a subset of events covered in the less specific rules, thus, they need to come +before to not be overshadowed by less specific rules, which match a bigger set of events. +Make sure that rules for unsuccessful calls of open syscall are in the order shown below. +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), check the order of +rules below in a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, check the order of rules below in +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The more specific rules cover a subset of events covered by the less specific rules. +By ordering them from more specific to less specific, it is assured that the less specific +rule will not catch events better recorded by the more specific rule. + + + + + + + + + + Record Unsuccessful Access Attempts to Files - openat + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Set architecture for audit openat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_openat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_openat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_openat.matched is defined and find_openat.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the openat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_openat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - open O_CREAT + The audit system should collect unauthorized file accesses for +all users and root. The open syscall can be used to create new files +when O_CREAT flag is specified. + +The following auidt rules will asure that unsuccessful attempts to create a +file via open syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Add unsuccessful file operations audit rules + blockinfile: + path: /etc/audit/rules.d/30-ospp-v42-remediation.rules + create: true + block: |- + ## This content is a section of an Audit config snapshot recommended for Fedora systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_o_creat + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Successful Ownership Changes to Files - fchownat + At a minimum, the audit system should collect file ownership changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File ownership attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Creation Attempts to Files - open O_CREAT + The open syscall can be used to create new files +when O_CREAT flag is specified. + +The following audit rules will assure that successful attempts to create a +file via open syscall are collected. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +rules below to a file with suffix .rules in the directory +/etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the rules below to +/etc/audit/audit.rules file. + + +-a always,exit -F arch=b32 -S open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S open,open -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + Successful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Delete Attempts to Files - renameat + At a minimum, the audit system should collect file +deletion for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File deletion attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Permission Changes to Files - fremovexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fremovexattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - fchown + The audit system should collect unsuccessful file ownership change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchown.matched is defined and find_fchown.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchown.matched is defined and find_fchown.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly + The audit system should collect detailed unauthorized file +accesses for all users and root. +To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access +of files via open_by_handle_at syscall the audit rules collecting these events need to be in certain order. +The more specific rules need to come before the less specific rules. The reason for that is that more +specific rules cover a subset of events covered in the less specific rules, thus, they need to come +before to not be overshadowed by less specific rules, which match a bigger set of events. +Make sure that rules for unsuccessful calls of open_by_handle_at syscall are in the order shown below. +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), check the order of +rules below in a file with suffix .rules in the directory +/etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, check the order of rules below in +/etc/audit/audit.rules file. + +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The more specific rules cover a subset of events covered by the less specific rules. +By ordering them from more specific to less specific, it is assured that the less specific +rule will not catch events better recorded by the more specific rule. + + + + + + + + + + Record Unsuccessful Access Attempts to Files - open_by_handle_at + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + - name: Set architecture for audit open_by_handle_at tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_open_by_handle_at + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_open_by_handle_at.files | map(attribute=''path'') | list | first + }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_open_by_handle_at.matched is defined and find_open_by_handle_at.matched + > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 + -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 + -F auid!=unset -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 + -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 + -F auid!=unset -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in /etc/audit/audit.rules when + on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 + -F auid!=unset -F key=access + - -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 + -F auid!=unset -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the open_by_handle_at rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 + -F auid!=unset -F key=access + - -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 + -F auid!=unset -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessul Permission Changes to Files - lremovexattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit lremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lremovexattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid>=1000 -F + auid!=unset -F key=access + - -a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Permission Changes to Files - chmod + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S chmod -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Successful Permission Changes to Files - removexattr + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S removexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Permission Changes to Files - fsetxattr + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fsetxattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessful Access Attempts to Files - creat + At a minimum, the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit creat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_creat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_creat.matched is defined and find_creat.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_creat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_creat.matched is defined and find_creat.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the creat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the creat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the creat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the creat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_creat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Successful Ownership Changes to Files - fchown + At a minimum, the audit system should collect file ownership changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchown -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File ownership attempts could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Permission Changes to Files - fchmodat + The audit system should collect unsuccessful file permission change +attempts for all users and root. +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change +-a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the audit rule checks a +system call independently of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change + CCI-000172 + AU-2(d) + AU-12(c) + CM-6(a) + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchmodat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmodat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmodat.matched is defined and find_fchmodat.matched == 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmodat.matched is defined and find_fchmodat.matched > 0 + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_unsuccessful_file_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) + At a minimum the audit system should collect unauthorized file +accesses for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access + This rule checks for multiple syscalls related to unsuccessful file modification; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_unsuccessful_file_modification_openaudit_rules_unsuccessful_file_modification_ftruncateaudit_rules_unsuccessful_file_modification_creat + 5.4.1.1 + 3.1.7 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.4 + Req-10.2.1 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 0582 + 0584 + 05885 + 0586 + 0846 + 0957 + Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + + + + Record Successful Permission Changes to Files - lremovexattr + At a minimum, the audit system should collect file permission changes +for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F arch=b32 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +If the system is 64 bit then also add the following lines: +-a always,exit -F arch=b64 -S lremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + File permission changes could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + + + + + + Record Unsuccessul Delete Attempts to Files - rename + The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit rename tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_rename + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_rename.matched is defined and find_rename.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_rename.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_rename.matched is defined and find_rename.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - unlinkat + The audit system should collect unsuccessful file deletion +attempts for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file. +-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + +If the system is 64 bit then also add the following lines: + +-a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping system calls related +to the same event is more efficient. See the following example: +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-delete + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.4 + Req-10.2.1 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000461-GPOS-00205 + SRG-OS-000468-GPOS-00212 + SRG-OS-000458-VMM-001810 + SRG-OS-000461-VMM-001830 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing +these events could serve as evidence of potential system compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM.*" + GROUP="access" + FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit unlinkat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_unlinkat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/access.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/access.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlinkat.matched is defined and find_unlinkat.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_unlinkat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlinkat.matched is defined and find_unlinkat.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ item }}' + create: true + with_items: + - -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 + lineinfile: + line: '{{ item }}' + state: present + dest: /etc/audit/audit.rules + create: true + with_items: + - -a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset + -F key=access + - -a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset + -F key=access + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.1 + - PCI-DSS-Req-10.2.4 + - audit_rules_unsuccessful_file_modification_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + + Record File Deletion Events by User + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete + + + Ensure auditd Collects File Deletion Events by User + At a minimum the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=unset -F key=delete + This rule checks for multiple syscalls related to file deletion; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_file_deletion_events_rmdiraudit_rules_file_deletion_events_unlinkaudit_rules_file_deletion_events_unlinkat + 5.4.1.1 + 3.1.7 + CCI-000366 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rmdir + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + 3.1.7 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-OS-000392-GPOS-00172 + SRG-OS-000466-VMM-001870 + SRG-OS-000468-VMM-001890 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S rmdir.*" + GROUP="delete" + FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit rmdir tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=delete$ + patterns: '*.rules' + register: find_rmdir + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_rmdir.matched is defined and find_rmdir.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_rmdir.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_rmdir.matched is defined and find_rmdir.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rmdir rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rmdir rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rmdir rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rmdir rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S rmdir -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rmdir + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlink + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete + 3.1.7 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-OS-000392-GPOS-00172 + SRG-OS-000466-VMM-001870 + SRG-OS-000468-VMM-001890 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S unlink.*" + GROUP="delete" + FULL_RULE="-a always,exit -F arch=$ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit unlink tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=delete$ + patterns: '*.rules' + register: find_unlink + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlink.matched is defined and find_unlink.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_unlink.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlink.matched is defined and find_unlink.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlink rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlink + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - renameat + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete + 3.1.7 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-OS-000392-GPOS-00172 + SRG-OS-000466-VMM-001870 + SRG-OS-000468-VMM-001890 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S renameat.*" + GROUP="delete" + FULL_RULE="-a always,exit -F arch=$ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit renameat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=delete$ + patterns: '*.rules' + register: find_renameat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_renameat.matched is defined and find_renameat.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_renameat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_renameat.matched is defined and find_renameat.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the renameat rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_renameat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rename + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete + 3.1.7 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-OS-000392-GPOS-00172 + SRG-OS-000466-VMM-001870 + SRG-OS-000468-VMM-001890 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S rename.*" + GROUP="delete" + FULL_RULE="-a always,exit -F arch=$ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit rename tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=delete$ + patterns: '*.rules' + register: find_rename + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_rename.matched is defined and find_rename.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_rename.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_rename.matched is defined and find_rename.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the rename rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_rename + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlinkat + At a minimum, the audit system should collect file deletion events +for all users and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as +appropriate for your system: +-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + 3.1.7 + CCI-000172 + CCI-000366 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.MA-2 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000466-GPOS-00210 + SRG-OS-000467-GPOS-00211 + SRG-OS-000468-GPOS-00212 + SRG-OS-000392-GPOS-00172 + SRG-OS-000466-VMM-001870 + SRG-OS-000468-VMM-001890 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.4 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.1.1 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Auditing file deletions will create an audit trail for files that are removed +from the system. The audit trail could aid in system troubleshooting, as well as, detecting +malicious processes that attempt to delete log files to conceal their presence. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S unlinkat.*" + GROUP="delete" + FULL_RULE="-a always,exit -F arch=$ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit unlinkat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=delete$ + patterns: '*.rules' + register: find_unlinkat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/delete.rules as + the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/delete.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlinkat.matched is defined and find_unlinkat.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_unlinkat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unlinkat.matched is defined and find_unlinkat.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the unlinkat rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_file_deletion_events_unlinkat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +-w /var/log/tallylog -p wa -k logins +-w /var/run/faillock/ -p wa -k logins +-w /var/log/lastlog -p wa -k logins +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +-w /var/log/tallylog -p wa -k logins +-w /var/run/faillock/ -p wa -k logins +-w /var/log/lastlog -p wa -k logins + + + Record Attempts to Alter Logon and Logout Events - faillock + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +-w /var/run/faillock -p wa -k logins +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +-w /var/run/faillock -p wa -k logins + 3.1.7 + CCI-000126 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.3 + SRG-OS-000392-GPOS-00172 + SRG-OS-000470-GPOS-00214 + SRG-OS-000473-GPOS-00218 + SRG-OS-000473-VMM-001930 + SRG-OS-000470-VMM-001900 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins" +fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k logins$ + patterns: '*.rules' + register: find_faillock + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_faillock.matched is defined and find_faillock.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_faillock.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_faillock.matched is defined and find_faillock.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the faillock rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/run/faillock -p wa -k logins + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the faillock rule in /etc/audit/audit.rules + lineinfile: + line: -w /var/run/faillock -p wa -k logins + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_faillock + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Attempts to Alter Logon and Logout Events + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +-w /var/log/tallylog -p wa -k logins +-w /var/run/faillock -p wa -k logins +-w /var/log/lastlog -p wa -k logins +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +-w /var/log/tallylog -p wa -k logins +-w /var/run/faillock -p wa -k logins +-w /var/log/lastlog -p wa -k logins + This rule checks for multiple syscalls related to login events; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_login_events_tallylogaudit_rules_login_events_faillockaudit_rules_login_events_lastlog + 5.4.1.1 + 3.1.7 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.3 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" +fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" + +fix_audit_watch_rule "auditctl" "/var/run/faillock" "wa" "logins" +fix_audit_watch_rule "augenrules" "/var/run/faillock" "wa" "logins" + +fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" +fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + Record Attempts to Alter Logon and Logout Events - tallylog + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +-w /var/log/tallylog -p wa -k logins +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +-w /var/log/tallylog -p wa -k logins + 3.1.7 + CCI-000172 + CCI-002884 + CCI-000126 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.3 + SRG-OS-000392-GPOS-00172 + SRG-OS-000470-GPOS-00214 + SRG-OS-000473-GPOS-00218 + SRG-OS-000473-VMM-001930 + SRG-OS-000470-VMM-001900 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" +fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k logins$ + patterns: '*.rules' + register: find_tallylog + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_tallylog.matched is defined and find_tallylog.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_tallylog.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_tallylog.matched is defined and find_tallylog.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the tallylog rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/log/tallylog -p wa -k logins + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the tallylog rule in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/tallylog -p wa -k logins + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_tallylog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - lastlog + The audit system already collects login information for all users +and root. If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following lines to a file with suffix .rules in the +directory /etc/audit/rules.d in order to watch for attempted manual +edits of files involved in storing logon events: +-w /var/log/lastlog -p wa -k logins +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file in order to watch for unattempted manual +edits of files involved in storing logon events: +-w /var/log/lastlog -p wa -k logins + 3.1.7 + CCI-000126 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.3 + SRG-OS-000392-GPOS-00172 + SRG-OS-000470-GPOS-00214 + SRG-OS-000473-GPOS-00218 + SRG-OS-000473-VMM-001930 + SRG-OS-000470-VMM-001900 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Manual editing of these files may indicate nefarious activity, such +as an attacker attempting to remove evidence of an intrusion. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" +fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for other user/group modification audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -k logins$ + patterns: '*.rules' + register: find_lastlog + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing user/group modification ruleset not found, use /etc/audit/rules.d/logins.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/logins.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lastlog.matched is defined and find_lastlog.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lastlog.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lastlog.matched is defined and find_lastlog.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lastlog rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -w /var/log/lastlog -p wa -k logins + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lastlog rule in /etc/audit/audit.rules + lineinfile: + line: -w /var/log/lastlog -p wa -k logins + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.3 + - audit_rules_login_events_lastlog + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + + Records Events that Modify Date and Time Information + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time. All changes to the system +time should be audited. + + + Record Attempts to Alter Time Through stime + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d for both 32 bit and 64 bit systems: +-a always,exit -F arch=b32 -S stime -F key=audit_time_rules +Since the 64 bit version of the "stime" system call is not defined in the audit +lookup table, the corresponding "-F arch=b64" form of this rule is not expected +to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule +form itself is sufficient for both 32 bit and 64 bit systems). If the +auditd daemon is configured to use the auditctl utility to +read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file for both 32 bit and 64 bit systems: +-a always,exit -F arch=b32 -S stime -F key=audit_time_rules +Since the 64 bit version of the "stime" system call is not defined in the audit +lookup table, the corresponding "-F arch=b64" form of this rule is not expected +to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule +form itself is sufficient for both 32 bit and 64 bit systems). The -k option +allows for the specification of a key in string form that can be used for +better reporting capability through ausearch and aureport. Multiple system +calls can be defined on the same line to save space if desired, but is not +required. See an example of multiple combined system calls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + 5.4.1.1 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +perform_audit_adjtimex_settimeofday_stime_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Perform remediation of Audit rules for stime syscall for x86 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - stime + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - stime + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_stime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A + mode: 0600 + path: /etc/audit/rules.d/75-syscall-stime.rules + overwrite: true + + + + + + + + + + Record Attempts to Alter Time Through clock_settime + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + 5.4.1.1 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" + GROUP="clock_settime" + FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for clock_settime for x86 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for clock_settime for x86_64 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key time-change + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)time-change$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/time-change.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/time-change.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - clock_settime + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(?:-F[\s]+a0=0x0[\s]+)(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -F a0=0x0 -k time-change' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_clock_settime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-syscall-clock-settime.rules + overwrite: true + + + + + + + + + + Record Attempts to Alter the localtime File + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the default), +add the following line to a file with suffix .rules in the directory +/etc/audit/rules.d: +-w /etc/localtime -p wa -k audit_time_rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-w /etc/localtime -p wa -k audit_time_rules +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport and +should always be used. + 5.4.1.1 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" +fix_audit_watch_rule "augenrules" "/etc/localtime" "wa" "audit_time_rules" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: '*.rules' + register: find_existing_watch_rules_d + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_watch_key + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_watch_key.matched is defined and find_watch_key.matched > 0 and find_existing_watch_rules_d.matched + is defined and find_existing_watch_rules_d.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/ + lineinfile: + path: '{{ all_files[0] }}' + line: -w /etc/localtime -p wa -k audit_time_rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules + find: + paths: /etc/audit/ + contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+ + patterns: audit.rules + register: find_existing_watch_audit_rules + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules + lineinfile: + line: -w /etc/localtime -p wa -k audit_time_rules + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched + == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_watch_localtime + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A + mode: 0600 + path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules + overwrite: true + + + + + + + + + + Record attempts to alter time through adjtimex + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules +The -k option allows for the specification of a key in string form that can be +used for better reporting capability through ausearch and aureport. Multiple +system calls can be defined on the same line to save space if desired, but is +not required. See an example of multiple combined syscalls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + 5.4.1.1 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +perform_audit_adjtimex_settimeofday_stime_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for x86 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for adjtimex for x86_64 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - adjtimex + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_adjtimex + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A + mode: 0600 + path: /etc/audit/rules.d/75-syscall-adjtimex.rules + overwrite: true + + + + + + + + + + Record attempts to alter time through settimeofday + If the auditd daemon is configured to use the +augenrules program to read audit rules during daemon startup (the +default), add the following line to a file with suffix .rules in the +directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules +The -k option allows for the specification of a key in string form that can be +used for better reporting capability through ausearch and aureport. Multiple +system calls can be defined on the same line to save space if desired, but is +not required. See an example of multiple combined syscalls: +-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules + 5.4.1.1 + 3.1.7 + CCI-001487 + CCI-000169 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.4.2.b + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + Arbitrary changes to the system time can be used to obfuscate +nefarious activities in log files, as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +perform_audit_adjtimex_settimeofday_stime_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for settimeofday for x86 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Perform remediation of Audit rules for settimeofday for x86_64 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key audit_time_rules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)audit_time_rules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the + rule + set_fact: + all_files: + - /etc/audit/rules.d/audit_time_rules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - settimeofday + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k audit_time_rules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4.2.b + - audit_rules_time_settimeofday + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A + mode: 0600 + path: /etc/audit/rules.d/75-syscall-settimeofday.rules + overwrite: true + + + + + + + + + + + Record Information on the Use of Privileged Commands + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/sudoedit\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/sudoedit.*$ + patterns: '*.rules' + register: find_sudoedit + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudoedit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_sudoedit.matched is defined and find_sudoedit.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudoedit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_sudoedit.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_sudoedit.matched is defined and find_sudoedit.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudoedit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the sudoedit rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudoedit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the sudoedit rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/sudoedit -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudoedit + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/crontab\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/crontab.*$ + patterns: '*.rules' + register: find_crontab + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_crontab.matched is defined and find_crontab.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_crontab.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_crontab.matched is defined and find_crontab.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the crontab rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the crontab rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/crontab -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_crontab + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + SRG-OS-000471-VMM-001910 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/newgidmap\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/newgidmap.*$ + patterns: '*.rules' + register: find_newgidmap + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_newgidmap.matched is defined and find_newgidmap.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_newgidmap.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_newgidmap.matched is defined and find_newgidmap.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the newgidmap rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the newgidmap rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/newgidmap -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 +-F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign +-F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/libexec/openssh/ssh-keysign.*$ + patterns: '*.rules' + register: find_ssh_keysign + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_ssh_keysign.matched is defined and find_ssh_keysign.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_ssh_keysign.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_ssh_keysign.matched is defined and find_ssh_keysign.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the ssh_keysign rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F + auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the ssh_keysign rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F + auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_ssh_keysign + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - umount + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/umount\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/umount.*$ + patterns: '*.rules' + register: find_umount + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_umount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_umount.matched is defined and find_umount.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_umount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_umount.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_umount.matched is defined and find_umount.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_umount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the umount rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_umount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the umount rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_umount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/newgrp\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/newgrp.*$ + patterns: '*.rules' + register: find_newgrp + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgrp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_newgrp.matched is defined and find_newgrp.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgrp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_newgrp.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_newgrp.matched is defined and find_newgrp.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgrp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the newgrp rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgrp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the newgrp rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newgrp + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chage + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/chage\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/chage.*$ + patterns: '*.rules' + register: find_chage + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chage.matched is defined and find_chage.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chage.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chage.matched is defined and find_chage.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the chage rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the chage rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/chage -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/gpasswd\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/gpasswd.*$ + patterns: '*.rules' + register: find_gpasswd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_gpasswd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_gpasswd.matched is defined and find_gpasswd.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_gpasswd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_gpasswd.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_gpasswd.matched is defined and find_gpasswd.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_gpasswd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the gpasswd rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_gpasswd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the gpasswd rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/gpasswd -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_gpasswd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/chsh\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/chsh.*$ + patterns: '*.rules' + register: find_chsh + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chsh + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chsh.matched is defined and find_chsh.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chsh + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chsh.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chsh.matched is defined and find_chsh.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chsh + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the chsh rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chsh + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the chsh rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/chsh -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_chsh + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/libexec/pt_chown\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/libexec/pt_chown.*$ + patterns: '*.rules' + register: find_pt_chown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pt_chown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_pt_chown.matched is defined and find_pt_chown.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pt_chown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_pt_chown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_pt_chown.matched is defined and find_pt_chown.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pt_chown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the pt_chown rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pt_chown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the pt_chown rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/libexec/pt_chown -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_pt_chown + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + SRG-OS-000471-VMM-001910 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/newuidmap\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/newuidmap.*$ + patterns: '*.rules' + register: find_newuidmap + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newuidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_newuidmap.matched is defined and find_newuidmap.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newuidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_newuidmap.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_newuidmap.matched is defined and find_newuidmap.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newuidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the newuidmap rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newuidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the newuidmap rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/newuidmap -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_newuidmap + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands + The audit system should collect information about usage of privileged +commands for all users and root. To find the relevant setuid / +setgid programs, run the following command for each local partition +PART: +$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add a line of +the following form to a file with suffix .rules in the directory +/etc/audit/rules.d for each setuid / setgid program on the system, +replacing the SETUID_PROG_PATH part with the full path of that setuid / +setgid program in the list: +-a always,exit -F path=SETUID_PROG_PATH -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules for each setuid / setgid program on the +system, replacing the SETUID_PROG_PATH part with the full path of that +setuid / setgid program in the list: +-a always,exit -F path=SETUID_PROG_PATH -F auid>=1000 -F auid!=unset -F key=privileged + This rule checks for multiple syscalls related to privileged commands; +it was written with DISA STIG in mind. Other policies should use a +separate rule for each syscall that needs to be checked. For example: +audit_rules_privileged_commands_suaudit_rules_privileged_commands_umountaudit_rules_privileged_commands_passwd + 5.4.1.1 + 3.1.7 + CCI-002234 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-2 + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + DE.DP-4 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + RS.CO-2 + Req-10.2.2 + SRG-OS-000327-GPOS-00127 + SRG-OS-000471-VMM-001910 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 3.9 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.5 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.3.4.5.9 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO08.04 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.05 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.1 + A.16.1.2 + A.16.1.3 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.1.3 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 0582 + 0584 + 05885 + 0586 + 0846 + 0957 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +perform_audit_rules_privileged_commands_remediation "auditctl" "1000" +perform_audit_rules_privileged_commands_remediation "augenrules" "1000" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search for privileged commands + shell: | + set -o pipefail + find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null + args: + warn: false + executable: /bin/bash + check_mode: false + register: find_result + changed_when: false + failed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path={{ item }} .*$ + patterns: '*.rules' + with_items: + - '{{ find_result.stdout_lines }}' + register: files_result + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Overwrites the rule in rules.d + lineinfile: + path: '{{ item.1.path }}' + line: -a always,exit -F path={{ item.0.item }} -F auid>=1000 -F auid!=unset -F + key=privileged + create: false + regexp: ^.*path={{ item.0.item }} .*$ + with_subelements: + - '{{ files_result.results }}' + - files + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Adds the rule in rules.d + lineinfile: + path: /etc/audit/rules.d/privileged.rules + line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: true + with_items: + - '{{ files_result.results }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - files_result.results is defined and item.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path={{ item.item }} -F auid>=1000 -F auid!=unset -F key=privileged + create: true + regexp: ^.*path={{ item.item }} .*$ + with_items: + - '{{ files_result.results }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.2 + - audit_rules_privileged_commands + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + BP28(R19) + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/sudo\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/sudo.*$ + patterns: '*.rules' + register: find_sudo + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudo + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_sudo.matched is defined and find_sudo.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudo + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_sudo.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_sudo.matched is defined and find_sudo.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudo + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the sudo rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudo + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the sudo rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_sudo + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - at + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + SRG-OS-000471-VMM-001910 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/at\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/at.*$ + patterns: '*.rules' + register: find_at + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_at.matched is defined and find_at.matched == 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_at.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_at.matched is defined and find_at.matched > 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the at rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the at rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/at -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_at + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/userhelper\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/userhelper.*$ + patterns: '*.rules' + register: find_userhelper + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_userhelper.matched is defined and find_userhelper.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_userhelper.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_userhelper.matched is defined and find_userhelper.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the userhelper rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the userhelper rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/userhelper -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_userhelper + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/passwd\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/passwd.*$ + patterns: '*.rules' + register: find_passwd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_passwd.matched is defined and find_passwd.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_passwd.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_passwd.matched is defined and find_passwd.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the passwd rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the passwd rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/unix_chkpwd\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/unix_chkpwd.*$ + patterns: '*.rules' + register: find_unix_chkpwd + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_unix_chkpwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_unix_chkpwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_unix_chkpwd.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_unix_chkpwd.matched is defined and find_unix_chkpwd.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_unix_chkpwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the unix_chkpwd rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_unix_chkpwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the unix_chkpwd rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_unix_chkpwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - su + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000135 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-VMM-001910 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/su\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/su.*$ + patterns: '*.rules' + register: find_su + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_su + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_su.matched is defined and find_su.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_su + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_su.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_su.matched is defined and find_su.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_su + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the su rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_su + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the su rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/su -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_su + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + SRG-OS-000471-VMM-001910 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/usernetctl\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/usernetctl.*$ + patterns: '*.rules' + register: find_usernetctl + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_usernetctl.matched is defined and find_usernetctl.matched == 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_usernetctl.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_usernetctl.matched is defined and find_usernetctl.matched > 0 + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the usernetctl rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the usernetctl rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/usernetctl -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_usernetctl + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - mount + At a minimum, the audit system should collect the execution of +privileged commands for all users and root. If the auditd daemon is +configured to use the augenrules program to read audit rules during +daemon startup (the default), add a line of the following form to a file with +suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add a line of the following +form to /etc/audit/audit.rules: +-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000130 + CCI-000135 + CCI-000169 + CCI-000172 + CCI-002884 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + SRG-OS-000471-VMM-001910 + SRG-OS-000037-GPOS-00015 + SRG-OS-000042-GPOS-00020 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/mount\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/mount.*$ + patterns: '*.rules' + register: find_mount + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_mount.matched is defined and find_mount.matched == 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_mount.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_mount.matched is defined and find_mount.matched > 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the mount rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the mount rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_privileged_commands_mount + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Record Execution Attempts to Run ACL Privileged Commands + At a minimum, the audit system should collect the execution of +ACL privileged commands for all users and root. + + + + Record Information on Kernel Modules Loading and Unloading + To capture kernel module loading and unloading events, use following lines, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules + + +Place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules. + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading + To capture kernel module loading and unloading events, use following lines, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: + +-a always,exit -F arch=ARCH -S init_module,finit_module,delete_module -F key=modules + + +The place to add the lines depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the lines to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the lines to file /etc/audit/audit.rules. + 5.4.1.1 + 3.1.7 + CCI-000172 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + Req-10.2.7 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + - name: Set architecture for audit tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for kernel module loading for x86 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b32_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b32_rules_d="{{ audit_syscalls_found_b32_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key modules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)modules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b32 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b32_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b32 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b32_audit_rules="{{ audit_syscalls_found_b32_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b32" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b32_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b32_audit_rules < audit_syscalls_number_of_syscalls + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Perform remediation of Audit rules for kernel module loading for x86_64 platform + block: + + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/rules.d/ + find: + paths: /etc/audit/rules.d + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: '*.rules' + register: audit_syscalls_found_b64_rules_d + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/rules.d/ + set_fact: audit_syscalls_matched_b64_rules_d="{{ audit_syscalls_found_b64_rules_d.results|sum(attribute='matched')|int + }}" + + - name: Search /etc/audit/rules.d for other rules with the key modules + find: + paths: /etc/audit/rules.d + contains: ^.*(?:-F key=|-k\s+)modules$ + patterns: '*.rules' + register: find_syscalls_files + + - name: Use /etc/audit/rules.d/modules.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/modules.rules + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + == 0 + + - name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_syscalls_files.files | map(attribute=''path'') | list | first + }}' + when: find_syscalls_files.matched is defined and find_syscalls_files.matched + > 0 + + - name: Insert the syscall rule in {{ all_files[0] }} + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_rules_d.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + + - name: Insert the line in {{ all_files[0] }} + lineinfile: + path: '{{ all_files[0] }}' + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_rules_d < audit_syscalls_number_of_syscalls + + - name: Declare list of syscals + set_fact: + syscalls: + - init_module + - delete_module + - finit_module + + - name: Declare number of syscalls + set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}" + + - name: Check existence of syscalls for architecture b64 in /etc/audit/audit.rules + find: + paths: /etc/audit + contains: ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{ + item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + patterns: audit.rules + register: audit_syscalls_found_b64_audit_rules + loop: '{{ syscalls }}' + + - name: Get number of matched syscalls for architecture b64 in /etc/audit/audit.rules + set_fact: audit_syscalls_matched_b64_audit_rules="{{ audit_syscalls_found_b64_audit_rules.results|sum(attribute='matched')|int + }}" + + - name: Insert the syscall rule in /etc/audit/audit.rules + block: + + - name: 'Construct rule: add rule list, action and arch' + set_fact: tmpline="-a always,exit -F arch=b64" + + - name: 'Construct rule: add syscalls' + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" + loop: '{{ audit_syscalls_found_b64_audit_rules.results }}' + when: item.matched is defined and item.matched == 0 + + - name: 'Construct rule: add fields and key' + set_fact: tmpline="{{ tmpline + ' -k modules' }}" + + - name: Insert the line in /etc/audit/audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: '{{ tmpline }}' + create: true + state: present + when: audit_syscalls_matched_b64_audit_rules < audit_syscalls_number_of_syscalls + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch == "b64" + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.2.7 + - audit_rules_kernel_module_loading + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module + To capture kernel module unloading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: +-a always,exit -F arch=ARCH -S delete_module -F key=modules + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-OS-000477-VMM-001970 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" + GROUP="modules" + FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules + overwrite: true + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading - init_module + To capture kernel module loading events, use following line, setting ARCH to +either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: +-a always,exit -F arch=ARCH -S init_module -F key=modules + +Place to add the line depends on a way auditd daemon is configured. If it is configured +to use the augenrules program (the default), add the line to a file with suffix +.rules in the directory /etc/audit/rules.d. + +If the auditd daemon is configured to use the auditctl utility, +add the line to file /etc/audit/audit.rules. + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-OS-000477-VMM-001970 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The addition of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" + GROUP="modules" + FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-init.rules + overwrite: true + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + If the auditd daemon is configured to use the augenrules program +to read audit rules during daemon startup (the default), add the following lines to a file +with suffix .rules in the directory /etc/audit/rules.d to capture kernel module +loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: +-a always,exit -F arch=ARCH -S finit_module -F key=modules +If the auditd daemon is configured to use the auditctl utility to read audit +rules during daemon startup, add the following lines to /etc/audit/audit.rules file +in order to capture kernel module loading and unloading events, setting ARCH to either b32 or +b64 as appropriate for your system: +-a always,exit -F arch=ARCH -S finit_module -F key=modules + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.2.7 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000471-GPOS-00216 + SRG-OS-000477-GPOS-00222 + SRG-OS-000477-VMM-001970 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The addition/removal of kernel modules can be used to alter the behavior of +the kernel and potentially introduce malicious code into kernel space. It is important +to have an audit trail of modules that have been introduced into the kernel. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +# Note: 32-bit and 64-bit kernel syscall numbers not always line up => +# it's required on a 64-bit system to check also for the presence +# of 32-bit's equivalent of the corresponding rule. +# (See `man 7 audit.rules` for details ) +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" + GROUP="modules" + FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A + mode: 0600 + path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules + overwrite: true + + + + + + + + + + + Record Execution Attempts to Run SELinux Privileged Commands + At a minimum, the audit system should collect the execution of +SELinux privileged commands for all users and root. + + + Record Any Attempts to Run setsebool + At a minimum, the audit system should collect any execution attempt +of the setsebool command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000392-GPOS-00172 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-OS-000463-VMM-001850 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/setsebool\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/setsebool.*$ + patterns: '*.rules' + register: find_setsebool + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_setsebool + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setsebool.matched is defined and find_setsebool.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_setsebool + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_setsebool.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setsebool.matched is defined and find_setsebool.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_setsebool + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the setsebool rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_setsebool + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the setsebool rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_setsebool + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Any Attempts to Run chcon + At a minimum, the audit system should collect any execution attempt +of the chcon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: + +-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: + +-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-OS-000471-GPOS-00215 + SRG-OS-000463-VMM-001850 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/bin/chcon\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/bin/chcon.*$ + patterns: '*.rules' + register: find_chcon + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chcon.matched is defined and find_chcon.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chcon.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chcon.matched is defined and find_chcon.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the chcon rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the chcon rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/bin/chcon -F auid>=1000 -F auid!=unset -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_chcon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Any Attempts to Run semanage + At a minimum, the audit system should collect any execution attempt +of the semanage command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AC-2(4) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000392-GPOS-00172 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-OS-000463-VMM-001850 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/semanage\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/semanage.*$ + patterns: '*.rules' + register: find_semanage + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_semanage.matched is defined and find_semanage.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_semanage.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_semanage.matched is defined and find_semanage.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the semanage rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the semanage rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=unset -F + key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-2(4) + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_semanage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Any Attempts to Run restorecon + At a minimum, the audit system should collect any execution attempt +of the restorecon command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged + 3.1.7 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000392-GPOS-00172 + SRG-OS-000463-GPOS-00207 + SRG-OS-000465-GPOS-00209 + SRG-OS-000463-VMM-001850 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/restorecon\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/restorecon.*$ + patterns: '*.rules' + register: find_restorecon + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_restorecon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_restorecon.matched is defined and find_restorecon.matched == 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_restorecon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_restorecon.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_restorecon.matched is defined and find_restorecon.matched > 0 + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_restorecon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the restorecon rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_restorecon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the restorecon rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/restorecon -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_restorecon + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Record Any Attempts to Run seunshare + At a minimum, the audit system should collect any execution attempt +of the seunshare command for all users and root. If the auditd +daemon is configured to use the augenrules program to read audit rules +during daemon startup (the default), add the following lines to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following lines to +/etc/audit/audit.rules file: +-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged + CCI-000172 + AU-2(d) + AU-12(c) + AC-6(9) + CM-6(a) + FAU_GEN.1.1.c + SRG-OS-000463-VMM-001850 + Misuse of privileged functions, either intentionally or unintentionally by +authorized users, or by unauthorized external entities that have compromised system accounts, +is a serious and ongoing concern and can have significant adverse impacts on organizations. +Auditing the use of privileged functions is one way to detect such misuse and identify +the risk from insider and advanced persistent threats. + +Privileged programs are subject to escalation-of-privilege attacks, +which attempt to subvert their normal role of providing some necessary but +limited capability. As such, motivation exists to monitor these programs for +unusual activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +PATTERN="-a always,exit -F path=/usr/sbin/seunshare\\s\\+.*" +GROUP="privileged" +# Although the fix doesn't use ARCH, we reset it because it could have been set by some other remediation +ARCH="" +FULL_RULE="-a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset -F key=privileged" +# Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + +fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Search /etc/audit/rules.d for audit rule entries + find: + paths: /etc/audit/rules.d + recurse: false + contains: ^.*path=/usr/sbin/seunshare.*$ + patterns: '*.rules' + register: find_seunshare + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_seunshare + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use /etc/audit/rules.d/privileged.rules as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_seunshare.matched is defined and find_seunshare.matched == 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_seunshare + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_seunshare.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_seunshare.matched is defined and find_seunshare.matched > 0 + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_seunshare + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the seunshare rule in rules.d + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_seunshare + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Inserts/replaces the seunshare rule in audit.rules + lineinfile: + path: /etc/audit/audit.rules + line: -a always,exit -F path=/usr/sbin/seunshare -F auid>=1000 -F auid!=unset + -F key=privileged + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(9) + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - audit_rules_execution_seunshare + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls + At a minimum, the audit system should collect file permission +changes for all users and root. Note that the "-F arch=b32" lines should be +present even on a 64 bit system. These commands identify system calls for +auditing. Even if the system is 64 bit it can still execute 32 bit system +calls. Additionally, these rules can be configured in a number of ways while +still achieving the desired effect. An example of this is that the "-S" calls +could be split up and placed on separate lines, however, this is less efficient. +Add the following to /etc/audit/audit.rules: +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If your system is 64 bit then these lines should be duplicated and the +arch=b32 replaced with arch=b64 as follows: +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + + + Record Events that Modify the System's Discretionary Access Controls - setxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S setxattr.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit setxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_setxattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setxattr.matched is defined and find_setxattr.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_setxattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_setxattr.matched is defined and find_setxattr.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the setxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_setxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fsetxattr.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fsetxattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fsetxattr.matched is defined and find_fsetxattr.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fsetxattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fsetxattr.matched is defined and find_fsetxattr.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount2 + At a minimum, the audit system should collect file system umount2 +changes. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S umount2.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit umount2 tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_umount2 + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_umount2.matched is defined and find_umount2.matched == 0 + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_umount2.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_umount2.matched is defined and find_umount2.matched > 0 + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount2 rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount2 rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount2 rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount2 rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - audit_rules_dac_modification_umount2 + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - removexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured to use the augenrules +program to read audit rules during daemon startup (the default), add the +following line to a file with suffix .rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000466-GPOS-00210 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S removexattr.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit removexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_removexattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_removexattr.matched is defined and find_removexattr.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_removexattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_removexattr.matched is defined and find_removexattr.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the removexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_removexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmodat + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchmodat.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchmodat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmodat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmodat.matched is defined and find_fchmodat.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmodat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmodat.matched is defined and find_fchmodat.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmodat rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmodat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lsetxattr.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit lsetxattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lsetxattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lsetxattr.matched is defined and find_lsetxattr.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lsetxattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lsetxattr.matched is defined and find_lsetxattr.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lsetxattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F + key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lsetxattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchownat + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchownat.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchownat tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchownat + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchownat.matched is defined and find_fchownat.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchownat.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchownat.matched is defined and find_fchownat.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchownat rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchownat + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000466-GPOS-00210 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fremovexattr.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fremovexattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fremovexattr.matched is defined and find_fremovexattr.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fremovexattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fremovexattr.matched is defined and find_fremovexattr.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chmod + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S chmod.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit chmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chmod + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chmod.matched is defined and find_chmod.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chmod.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chmod.matched is defined and find_chmod.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chmod rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount + At a minimum, the audit system should collect file system umount +changes. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000392-GPOS-00172 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S umount.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit umount tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_umount + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_umount.matched is defined and find_umount.matched == 0 + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_umount.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_umount.matched is defined and find_umount.matched > 0 + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the umount rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - audit_rules_dac_modification_umount + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr + At a minimum, the audit system should collect file permission +changes for all users and root. + +If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000466-GPOS-00210 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lremovexattr.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit lremovexattr tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lremovexattr + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lremovexattr.matched is defined and find_lremovexattr.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lremovexattr.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lremovexattr.matched is defined and find_lremovexattr.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lremovexattr rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset + -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lremovexattr + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lchown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S lchown.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit lchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_lchown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lchown.matched is defined and find_lchown.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_lchown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_lchown.matched is defined and find_lchown.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the lchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_lchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S chown.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit chown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_chown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chown.matched is defined and find_chown.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_chown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_chown.matched is defined and find_chown.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the chown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_chown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmod + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured to +use the augenrules program to read audit rules during daemon startup +(the default), add the following line to a file with suffix .rules in +the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchmod.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchmod tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchmod + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmod.matched is defined and find_fchmod.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchmod.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchmod.matched is defined and find_fchmod.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchmod rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchmod + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchown + At a minimum, the audit system should collect file permission +changes for all users and root. If the auditd daemon is configured +to use the augenrules program to read audit rules during daemon +startup (the default), add the following line to a file with suffix +.rules in the directory /etc/audit/rules.d: +-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the auditd daemon is configured to use the auditctl +utility to read audit rules during daemon startup, add the following line to +/etc/audit/audit.rules file: +-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + +If the system is 64 bit then also add the following line: +-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + Note that these rules can be configured in a +number of ways while still achieving the desired effect. Here the system calls +have been placed independent of other system calls. Grouping these system +calls with others as identifying earlier in this guide is more efficient. + 5.4.1.1 + 3.1.7 + CCI-000126 + CCI-000130 + CCI-000169 + CCI-000172 + CCI-002884 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-2(d) + AU-12(c) + CM-6(a) + DE.AE-3 + DE.AE-5 + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.AC-3 + PR.PT-1 + PR.PT-4 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + Req-10.5.5 + SRG-OS-000037-GPOS-00015 + SRG-OS-000062-GPOS-00031 + SRG-OS-000064-GPOS-00033 + SRG-OS-000392-GPOS-00172 + SRG-OS-000458-GPOS-00203 + SRG-OS-000462-GPOS-00206 + SRG-OS-000471-GPOS-00215 + SRG-OS-000474-GPOS-00219 + SRG-OS-000458-VMM-001810 + SRG-OS-000474-VMM-001940 + SR 1.13 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.6 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.6 + 4.2.3.10 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.3.6.6 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI08.02 + DSS01.03 + DSS01.04 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.11.2.6 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.6.2.1 + A.6.2.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + The changing of file permissions could indicate that a user is attempting to +gain access to information that would otherwise be disallowed. Auditing DAC modifications +can facilitate the identification of patterns of abuse among both authorized and +unauthorized users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# First perform the remediation of the syscall rule +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + PATTERN="-a always,exit -F arch=$ARCH -S fchown.*" + GROUP="perm_mod" + FULL_RULE="-a always,exit -F arch=$ARCH -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod" + + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set architecture for audit fchown tasks + set_fact: + audit_arch: b{{ ansible_architecture | regex_replace('.*(\d\d$)','\1') }} + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Search /etc/audit/rules.d for other DAC audit rules + find: + paths: /etc/audit/rules.d + recurse: false + contains: -F key=perm_mod$ + patterns: '*.rules' + register: find_fchown + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: If existing DAC ruleset not found, use /etc/audit/rules.d/privileged.rules + as the recipient for the rule + set_fact: + all_files: + - /etc/audit/rules.d/privileged.rules + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchown.matched is defined and find_fchown.matched == 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Use matched file as the recipient for the rule + set_fact: + all_files: + - '{{ find_fchown.files | map(attribute=''path'') | list | first }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - find_fchown.matched is defined and find_fchown.matched > 0 + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in rules.d when on x86 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in rules.d when on x86_64 + lineinfile: + path: '{{ all_files[0] }}' + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in /etc/audit/audit.rules when on x86 + lineinfile: + line: -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + +- name: Inserts/replaces the fchown rule in audit.rules when on x86_64 + lineinfile: + line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod + state: present + dest: /etc/audit/audit.rules + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - audit_arch is defined and audit_arch == 'b64' + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.1.7 + - NIST-800-53-AU-12(c) + - NIST-800-53-AU-2(d) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.5 + - audit_rules_dac_modification_fchown + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + + + Configure auditd Data Retention + The audit system writes data to /var/log/audit/audit.log. By default, +auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of +data in total, and refuses to write entries when the disk is too +full. This minimizes the risk of audit data filling its partition +and impacting other services. This also minimizes the risk of the audit +daemon temporarily disabling the system if it cannot write audit log (which +it can be configured to do). + +For a busy +system or a system which is thoroughly auditing system activity, the default settings +for data retention may be + insufficient. The log file size needed will depend heavily on what types +of events are being audited. First configure auditing to log all the events of +interest. Then monitor the log size manually for awhile to determine what file +size will allow you to keep the required data for the correct time period. + +Using a dedicated partition for /var/log/audit prevents the +auditd logs from disrupting system functionality if they fill, and, +more importantly, prevents other activity in /var from filling the +partition and stopping the audit trail. (The audit logs are size-limited and +therefore unlikely to grow without bound unless configured to do so.) Some +machines may have requirements that no actions occur which cannot be audited. +If this is the case, then auditd can be configured to halt the machine +if it runs out of space. Note: Since older logs are rotated, +configuring auditd this way does not prevent older logs from being +rotated away before they can be viewed. + +If your system is configured to halt when logging cannot be performed, make +sure this can never happen under normal circumstances! Ensure that +/var/log/audit is on its own partition, and that this partition is +larger than the maximum amount of data auditd will retain +normally. + + + Action for audispd to take when disk is full + The setting for disk_full_action in /etc/audisp/audisp-remote.conf + single + exec + halt + single + suspend + syslog + warn_once + stop + + + Action for audispd to take when network fails + The setting for network_failure_action in /etc/audisp/audisp-remote.conf + single + exec + halt + single + suspend + syslog + warn_once + stop + ignore + + + Remote server for audispd to send audit records + +The setting for remote_server in /etc/audit/audisp-remote.conf + logcollector + + + Account for auditd to send email when actions occurs + The setting for action_mail_acct in /etc/audit/auditd.conf + admin + root + root + + + Action for auditd to take when disk space is low + The setting for admin_space_left_action in /etc/audit/auditd.conf + single + email + exec + halt + single + suspend + syslog + rotate + ignore + + + Action for auditd to take when disk errors + The setting for disk_error_action in /etc/audit/auditd.conf + single + exec + halt + single + suspend + syslog + ignore + + + Action for auditd to take when disk is full + The setting for disk_full_action in /etc/audit/auditd.conf + single + exec + halt + single + suspend + syslog + ignore + rotate + + + Auditd priority for flushing data to disk + The setting for flush in /etc/audit/auditd.conf + data + data + incremental + incremental_async + none + sync + + + Maximum audit log file size for auditd + The setting for max_log_size in /etc/audit/auditd.conf + 1 + 10 + 20 + 5 + 6 + 6 + + + Action for auditd to take when log files reach their maximum size + The setting for max_log_file_action in /etc/audit/auditd.conf + rotate + keep_logs + rotate + suspend + syslog + ignore + + + Number of log files for auditd to retain + The setting for num_logs in /etc/audit/auditd.conf + 0 + 1 + 2 + 3 + 4 + 5 + 5 + + + Size remaining in disk space before prompting space_left_action + The setting for space_left (MB) in /etc/audit/auditd.conf + 1000 + 100 + 250 + 500 + 750 + 100 + + + Action for auditd to take when disk space just starts to run low + The setting for space_left_action in /etc/audit/auditd.conf + email + email + exec + halt + single + suspend + syslog + rotate + ignore + + + Configure audispd Plugin To Send Logs To Remote Server + Configure the audispd plugin to off-load audit records onto a different +system or media from the system being audited. +Set the remote_server option in /etc/audit/audisp-remote.conf +with an IP address or hostname of the system that the audispd plugin should +send audit records to. For example +remote_server = + CCI-001851 + SRG-OS-000342-GPOS-00133 + SRG-OS-000479-GPOS-00224 + SRG-OS-000051-VMM-000230 + SRG-OS-000058-VMM-000270 + SRG-OS-000059-VMM-000280 + SRG-OS-000479-VMM-001990 + SRG-OS-000479-VMM-001990 + FAU_GEN.1.1.c + Information stored in one location is vulnerable to accidental or incidental +deletion or alteration.Off-loading is a common process in information systems +with limited audit storage capacity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_audispd_remote_server="" + + + + +AUDITCONFIG=/etc/audit/audisp-remote.conf + +replace_or_append $AUDITCONFIG '^remote_server' "$var_audispd_remote_server" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_audispd_remote_server # promote to variable + set_fact: + var_audispd_remote_server: !!str + tags: + - always + +- name: Make sure that a remote server is configured for Audispd + lineinfile: + path: /etc/audit/audisp-remote.conf + line: remote_server = {{ var_audispd_remote_server }} + regexp: ^\s*remote_server\s*=.*$ + create: true + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - auditd_audispd_configure_remote_server + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Encrypt Audit Records Sent With audispd Plugin + Configure the operating system to encrypt the transfer of off-loaded audit +records onto a different system or media from the system being audited. + +Set the transport option in /etc/audit/audisp-remote.conf +to KRB5. + CCI-001851 + AU-9(3) + CM-6(a) + SRG-OS-000342-GPOS-00133 + SRG-OS-000479-GPOS-00224 + FAU_GEN.1.1.c + Information stored in one location is vulnerable to accidental or incidental deletion +or alteration. Off-loading is a common process in information systems with limited +audit storage capacity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + + +AUDISP_REMOTE_CONFIG="/etc/audit/audisp-remote.conf" +option="^transport" +value="KRB5" + +replace_or_append $AUDISP_REMOTE_CONFIG "$option" "$value" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Configure auditd mail_acct Action on Low Disk Space + The auditd service can be configured to send email to +a designated account in certain situations. Add or correct the following line +in /etc/audit/auditd.conf to ensure that administrators are notified +via email for those situations: +action_mail_acct = + 5.4.1.1 + 3.3.1 + CCI-000139 + CCI-001855 + 164.312(a)(2)(ii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.17.2.1 + IA-5(1) + AU-5(a) + AU-5(2) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.DS-4 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.7.a + SRG-OS-000046-GPOS-00022 + SRG-OS-000343-GPOS-00134 + SRG-OS-000046-VMM-000210 + SRG-OS-000343-VMM-001240 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 7.1 + SR 7.2 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI04.04 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + Email sent to the root account is typically aliased to the +administrators of the system, who can take appropriate action. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_auditd_action_mail_acct="" + + + +AUDITCONFIG=/etc/audit/auditd.conf + +replace_or_append $AUDITCONFIG '^action_mail_acct' "$var_auditd_action_mail_acct" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_auditd_action_mail_acct # promote to variable + set_fact: + var_auditd_action_mail_acct: !!str + tags: + - always + +- name: Configure auditd mail_acct Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: action_mail_acct = {{ var_auditd_action_mail_acct }} + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1) + - PCI-DSS-Req-10.7.a + - auditd_data_retention_action_mail_acct + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Set number of records to cause an explicit flush to audit logs + To configure Audit daemon to issue an explicit flush to disk command +after writing 50 records, set freq to 50 +in /etc/audit/auditd.conf. + FAU_GEN.1 + SRG-OS-000051-GPOS-00024 + If option freq isn't set to 50, the flush to disk +may happen after higher number of records, increasing the danger +of audit loss. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "freq = 50" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set number of records to cause an explicit flush to audit logs + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*freq\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*freq\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*freq\s*=\s* + line: freq = 50 + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - auditd_freq + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + Configure auditd Max Log File Size + Determine the amount of audit data (in megabytes) +which should be retained in each log file. Edit the file +/etc/audit/auditd.conf. Add or modify the following line, substituting +the correct value of for STOREMB: +max_log_file = STOREMB +Set the value to 6 (MB) or higher for general-purpose systems. +Larger values, of course, +support retention of even more audit data. + 5.4.1.1 + AU-11 + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.7 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + The total storage for audit log files must be large enough to retain +log information over the period required. This is a function of the maximum +log file size and the number of logs retained. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_auditd_max_log_file="" + + + +AUDITCONFIG=/etc/audit/auditd.conf + +replace_or_append $AUDITCONFIG '^max_log_file' "$var_auditd_max_log_file" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_auditd_max_log_file # promote to variable + set_fact: + var_auditd_max_log_file: !!str + tags: + - always + +- name: Configure auditd Max Log File Size + lineinfile: + dest: /etc/audit/auditd.conf + regexp: ^\s*max_log_file\s*=\s*.*$ + line: max_log_file = {{ var_auditd_max_log_file }} + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-53-AU-11 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_max_log_file + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Configure auditd Disk Full Action when Disk Space Is Full + The auditd service can be configured to take an action +when disk space is running low but prior to running out of space completely. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting ACTION appropriately: +disk_full_action = ACTION +Set this value to single to cause the system to switch to single-user +mode for corrective action. Acceptable values also include syslog, + +exec, + +single, and halt. For certain systems, the need for availability +outweighs the need to log all actions, and a different setting should be +determined. Details regarding all possible values for ACTION are described in the +auditd.conf man page. + AU-5(b) + AU-5(2) + AU-5(1) + AU-5(4) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.DS-4 + PR.PT-1 + RS.AN-1 + RS.AN-4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 7.1 + SR 7.2 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI04.04 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.17.2.1 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + SRG-OS-000047-GPOS-00023 + CCI-000140 + Taking appropriate action in case of a filled audit storage volume will minimize +the possibility of losing audit records. + + - name: XCCDF Value var_auditd_disk_full_action # promote to variable + set_fact: + var_auditd_disk_full_action: !!str + tags: + - always + +- name: Configure auditd Disk Full Action when Disk Space Is Full + lineinfile: + dest: /etc/audit/auditd.conf + line: disk_full_action = {{ var_auditd_disk_full_action }} + regexp: ^\s*disk_full_action\s*=\s*.*$ + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - auditd_data_disk_full_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Configure auditd flush priority + The auditd service can be configured to +synchronously write audit event data to disk. Add or correct the following +line in /etc/audit/auditd.conf to ensure that audit event data is +fully synchronized with the log files on the disk: +flush = + 3.3.1 + CCI-001576 + 164.308(a)(1)(ii)(D) + 164.308(a)(3)(ii)(A) + 164.308(a)(5)(ii)(C) + 164.312(a)(2)(i) + 164.312(b) + 164.312(d) + 164.312(e) + AU-11 + CM-6(a) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Audit data should be synchronously written to disk to ensure +log integrity. These parameters assure that all audit event data is fully +synchronized with the log files on the disk. + + - name: XCCDF Value var_auditd_flush # promote to variable + set_fact: + var_auditd_flush: !!str + tags: + - always + +- name: Configure auditd Flush Priority + lineinfile: + dest: /etc/audit/auditd.conf + regexp: ^\s*flush\s*=\s*.*$ + line: flush = {{ var_auditd_flush }} + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.3.1 + - NIST-800-53-AU-11 + - NIST-800-53-CM-6(a) + - auditd_data_retention_flush + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size + The default action to take when the logs reach their maximum size +is to rotate the log files, discarding the oldest one. To configure the action taken +by auditd, add or correct the line in /etc/audit/auditd.conf: +max_log_file_action = ACTION +Possible values for ACTION are described in the auditd.conf man +page. These include: +syslogsuspendrotatekeep_logs +Set the ACTION to rotate to ensure log rotation +occurs. This is the default. The setting is case-insensitive. + 5.4.1.1 + 164.312(a)(2)(ii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.17.2.1 + AU-5(b) + AU-5(2) + AU-5(1) + AU-5(4) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.DS-4 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.7 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 7.1 + SR 7.2 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI04.04 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + SRG-OS-000047-GPOS-00023 + CCI-000140 + Automatically rotating logs (by setting this to rotate) +minimizes the chances of the system unexpectedly running out of disk space by +being overwhelmed with log data. However, for systems that must never discard +log data, or which use external processes to transfer it and reclaim space, +keep_logs can be employed. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_auditd_max_log_file_action="" + + + +AUDITCONFIG=/etc/audit/auditd.conf + +replace_or_append $AUDITCONFIG '^max_log_file_action' "$var_auditd_max_log_file_action" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_auditd_max_log_file_action # promote to variable + set_fact: + var_auditd_max_log_file_action: !!str + tags: + - always + +- name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size + lineinfile: + dest: /etc/audit/auditd.conf + line: max_log_file_action = {{ var_auditd_max_log_file_action }} + regexp: ^\s*max_log_file_action\s*=\s*.*$ + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_max_log_file_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Set hostname as computer node name in audit logs + To configure Audit daemon to use value returned by gethostname +syscall as computer node name in the audit events, +set name_format to hostname +in /etc/audit/auditd.conf. + CCI-001851 + FAU_GEN.1 + SRG-OS-000039-GPOS-00017 + SRG-OS-000342-GPOS-00133 + SRG-OS-000479-GPOS-00224 + If option name_format is left at its default value of +none, audit events from different computers may be hard +to distinguish. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "name_format = hostname" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set hostname as computer node name in audit logs + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*name_format\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*name_format\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*name_format\s*=\s* + line: name_format = hostname + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - auditd_name_format + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + Resolve information before writing to audit logs + To configure Audit daemon to resolve all uid, gid, syscall, +architecture, and socket address information before writing the +events to disk, set log_format to ENRICHED +in /etc/audit/auditd.conf. + FAU_GEN.1 + SRG-OS-000255-GPOS-00096 + SRG-OS-000480-GPOS-00227 + CCI-000366 + If option log_format isn't set to ENRICHED, the +audit records will be stored in a format exactly as the kernel sends them. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + LC_ALL=C sed -i "/^\s*log_format\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "log_format = ENRICHED" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Resolve information before writing to audit logs + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*log_format\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*log_format\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*log_format\s*=\s* + line: log_format = ENRICHED + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - auditd_log_format + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + Configure auditd space_left Action on Low Disk Space + The auditd service can be configured to take an action +when disk space starts to run low. +Edit the file /etc/audit/auditd.conf. Modify the following line, +substituting ACTION appropriately: +space_left_action = ACTION +Possible values for ACTION are described in the auditd.conf man page. +These include: +syslogemailexecsuspendsinglehalt +Set this to email (instead of the default, +which is suspend) as it is more likely to get prompt attention. Acceptable values +also include suspend, single, and halt. + 5.4.1.1 + 3.3.1 + CCI-001855 + 164.312(a)(2)(ii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.17.2.1 + AU-5(b) + AU-5(2) + AU-5(1) + AU-5(4) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.DS-4 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.7 + SRG-OS-000343-GPOS-00134 + SRG-OS-000343-VMM-001240 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 7.1 + SR 7.2 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI04.04 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + Notifying administrators of an impending disk space problem may +allow them to take corrective action prior to any disruption. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_auditd_space_left_action="" + + + +# +# If space_left_action present in /etc/audit/auditd.conf, change value +# to var_auditd_space_left_action, else +# add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf +# + +AUDITCONFIG=/etc/audit/auditd.conf + +replace_or_append $AUDITCONFIG '^space_left_action' "$var_auditd_space_left_action" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_auditd_space_left_action # promote to variable + set_fact: + var_auditd_space_left_action: !!str + tags: + - always + +- name: Configure auditd space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: space_left_action = {{ var_auditd_space_left_action }} + regexp: ^\s*space_left_action\s*=\s*.*$ + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_space_left_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Configure auditd Disk Error Action on Disk Error + The auditd service can be configured to take an action +when there is a disk error. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting ACTION appropriately: +disk_error_action = ACTION +Set this value to single to cause the system to switch to single-user +mode for corrective action. Acceptable values also include syslog, +exec, single, and halt. For certain systems, the need for availability +outweighs the need to log all actions, and a different setting should be +determined. Details regarding all possible values for ACTION are described in the +auditd.conf man page. + AU-5(b) + AU-5(2) + AU-5(1) + AU-5(4) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.DS-4 + PR.PT-1 + RS.AN-1 + RS.AN-4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 7.1 + SR 7.2 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI04.04 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.17.2.1 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + SRG-OS-000047-GPOS-00023 + CCI-000140 + Taking appropriate action in case of disk errors will minimize the possibility of +losing audit records. + + - name: XCCDF Value var_auditd_disk_error_action # promote to variable + set_fact: + var_auditd_disk_error_action: !!str + tags: + - always + +- name: Configure auditd Disk Error Action on Disk Error + lineinfile: + dest: /etc/audit/auditd.conf + line: disk_error_action = {{ var_auditd_disk_error_action }} + regexp: ^\s*disk_error_action\s*=\s*.*$ + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - auditd_data_disk_error_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Configure auditd Number of Logs Retained + Determine how many log files +auditd should retain when it rotates logs. +Edit the file /etc/audit/auditd.conf. Add or modify the following +line, substituting NUMLOGS with the correct value of : +num_logs = NUMLOGS +Set the value to 5 for general-purpose systems. +Note that values less than 2 result in no log rotation. + 5.4.1.1 + 3.3.1 + AU-11 + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.7 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + The total storage for audit log files must be large enough to retain +log information over the period required. This is a function of the maximum log +file size and the number of logs retained. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_auditd_num_logs="" + + + +AUDITCONFIG=/etc/audit/auditd.conf + +replace_or_append $AUDITCONFIG '^num_logs' "$var_auditd_num_logs" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_auditd_num_logs # promote to variable + set_fact: + var_auditd_num_logs: !!str + tags: + - always + +- name: Configure auditd Number of Logs Retained + lineinfile: + dest: /etc/audit/auditd.conf + line: num_logs = {{ var_auditd_num_logs }} + regexp: ^\s*num_logs\s*=\s*.*$ + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-11 + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_num_logs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Configure auditd to use audispd's syslog plugin + To configure the auditd service to use the +syslog plug-in of the audispd audit event multiplexor, set +the active line in /etc/audit/plugins.d/syslog.conf to yes. +Restart the auditd service: +$ sudo service auditd restart + 5.4.1.1 + 3.3.1 + CCI-000136 + 164.308(a)(1)(ii)(D) + 164.308(a)(5)(ii)(B) + 164.308(a)(5)(ii)(C) + 164.308(a)(6)(ii) + 164.308(a)(8) + 164.310(d)(2)(iii) + 164.312(b) + 164.314(a)(2)(i)(C) + 164.314(a)(2)(iii) + AU-4(1) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.PT-1 + RS.AN-1 + RS.AN-4 + FAU_GEN.1.1.c + SRG-OS-000051-VMM-000230 + SRG-OS-000058-VMM-000270 + SRG-OS-000059-VMM-000280 + SRG-OS-000479-VMM-001990 + SRG-OS-000479-VMM-001990 + Req-10.5.3 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + BAI03.05 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 3 + 4 + 5 + 6 + 7 + 8 + SRG-OS-000479-GPOS-00224 + SRG-OS-000342-GPOS-00133 + The auditd service does not include the ability to send audit +records to a centralized server for management directly. It does, however, +include a plug-in for audit event multiplexor (audispd) to pass audit records +to the local syslog server + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_syslog_active="yes" + + +AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf + +replace_or_append $AUDISP_SYSLOGCONFIG '^active' "$var_syslog_active" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: enable syslog plugin + lineinfile: + dest: /etc/audit/plugins.d/syslog.conf + regexp: ^active + line: active = yes + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-4(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.5.3 + - auditd_audispd_syslog_plugin_activated + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Write Audit Logs to the Disk + To configure Audit daemon to write Audit logs to the disk, set +write_logs to yes in /etc/audit/auditd.conf. +This is the default setting. + FAU_GEN.1.1.c + SRG-OS-000480-GPOS-00227 + If write_logs isn't set to yes, the Audit logs will +not be written to the disk. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + LC_ALL=C sed -i "/^\s*write_logs\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "write_logs = yes" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Write Audit Logs to the Disk + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*write_logs\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*write_logs\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*write_logs\s*=\s* + line: write_logs = yes + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - auditd_write_logs + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + Configure auditd admin_space_left Action on Low Disk Space + The auditd service can be configured to take an action +when disk space is running low but prior to running out of space completely. +Edit the file /etc/audit/auditd.conf. Add or modify the following line, +substituting ACTION appropriately: +admin_space_left_action = ACTION +Set this value to single to cause the system to switch to single user +mode for corrective action. Acceptable values also include suspend and +halt. For certain systems, the need for availability +outweighs the need to log all actions, and a different setting should be +determined. Details regarding all possible values for ACTION are described in the +auditd.conf man page. + SRG-OS-000343-GPOS-00134 + 5.4.1.1 + 3.3.1 + CCI-000140 + CCI-001343 + CCI-001855 + 164.312(a)(2)(ii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.16.1.4 + A.16.1.5 + A.16.1.7 + A.17.2.1 + AU-5(b) + AU-5(2) + AU-5(1) + AU-5(4) + CM-6(a) + DE.AE-3 + DE.AE-5 + PR.DS-4 + PR.PT-1 + RS.AN-1 + RS.AN-4 + Req-10.7 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 7.1 + SR 7.2 + 4.2.3.10 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.3.4.5.6 + 4.3.4.5.7 + 4.3.4.5.8 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO12.06 + APO13.01 + BAI03.05 + BAI04.04 + BAI08.02 + DSS02.02 + DSS02.04 + DSS02.07 + DSS03.01 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 19 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + Administrators should be made aware of an inability to record +audit records. If a separate partition or logical volume of adequate size +is used, running low on space for audit records should never occur. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_auditd_admin_space_left_action="" + + + +AUDITCONFIG=/etc/audit/auditd.conf + +replace_or_append $AUDITCONFIG '^admin_space_left_action' "$var_auditd_admin_space_left_action" "" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_auditd_admin_space_left_action # promote to variable + set_fact: + var_auditd_admin_space_left_action: !!str + tags: + - always + +- name: Configure auditd admin_space_left Action on Low Disk Space + lineinfile: + dest: /etc/audit/auditd.conf + line: admin_space_left_action = {{ var_auditd_admin_space_left_action }} + regexp: ^\s*admin_space_left_action\s*=\s*.*$ + state: present + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.4.1.1 + - NIST-800-171-3.3.1 + - NIST-800-53-AU-5(1) + - NIST-800-53-AU-5(2) + - NIST-800-53-AU-5(4) + - NIST-800-53-AU-5(b) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - auditd_data_retention_admin_space_left_action + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + Include Local Events in Audit Logs + To configure Audit daemon to include local events in Audit logs, set +local_events to yes in /etc/audit/auditd.conf. +This is the default setting. + FAU_GEN.1.1.c + SRG-OS-000062-GPOS-00031 + SRG-OS-000480-GPOS-00227 + CCI-000366 + If option local_events isn't set to yes only events from +network will be aggregated. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/audit/auditd.conf" ] ; then + LC_ALL=C sed -i "/^\s*local_events\s*=\s*/Id" "/etc/audit/auditd.conf" +else + touch "/etc/audit/auditd.conf" +fi +cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak" +# Insert at the end of the file +printf '%s\n' "local_events = yes" >> "/etc/audit/auditd.conf" +# Clean up after ourselves. +rm "/etc/audit/auditd.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Include Local Events in Audit Logs + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*local_events\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: false + regexp: (?i)^\s*local_events\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/audit/auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + create: true + regexp: (?i)^\s*local_events\s*=\s* + line: local_events = yes + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - auditd_local_events + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20incremental_async%0Afreq%20%3D%2050%0Amax_log_file%20%3D%208%0Anum_logs%20%3D%205%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20rotate%0Aspace_left%20%3D%20100%0Aspace_left_action%20%3D%20syslog%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20root%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20syslog%0Adisk_error_action%20%3D%20syslog%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d + mode: 0640 + path: /etc/audit/auditd.conf + overwrite: true + + + + + + + + + + + System Accounting with auditd + The auditd program can perform comprehensive +monitoring of system activity. This section makes use of recommended +configuration settings for specific policies or use cases. +The rules in this section make use of rules defined in /usr/share/doc/audit-VERSION/rules. + + + + + File Permissions and Masks + Traditional Unix security relies heavily on file and +directory permissions to prevent unauthorized users from reading or +modifying files to which they should not have access. + +Several of the commands in this section search filesystems +for files or directories with certain characteristics, and are +intended to be run on every local partition on a given system. +When the variable PART appears in one of the commands below, +it means that the command is intended to be run repeatedly, with the +name of each local partition substituted for PART in turn. + +The following command prints a list of all xfs partitions on the local +system, which is the default filesystem for Fedora +installations: +$ mount -t xfs | awk '{print $3}' +For any systems that use a different +local filesystem type, modify this command as appropriate. + + Restrict Dynamic Mounting and Unmounting of +Filesystems + Linux includes a number of facilities for the automated addition +and removal of filesystems on a running system. These facilities may be +necessary in many environments, but this capability also carries some risk -- whether direct +risk from allowing users to introduce arbitrary filesystems, +or risk that software flaws in the automated mount facility itself could +allow an attacker to compromise the system. + +This command can be used to list the types of filesystems that are +available to the currently executing kernel: +$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko' +If these filesystems are not required then they can be explicitly disabled +in a configuratio file in /etc/modprobe.d. + + Disable the Automounter + The autofs daemon mounts and unmounts filesystems, such as user +home directories shared via NFS, on demand. In addition, autofs can be used to handle +removable media, and the default configuration provides the cdrom device as /misc/cd. +However, this method of providing access to removable media is not common, so autofs +can almost always be disabled if NFS is not in use. Even if NFS is required, it may be +possible to configure filesystem mounts statically by editing /etc/fstab +rather than relying on the automounter. + + +The autofs service can be disabled with the following command: +$ sudo systemctl mask --now autofs.service + 3.4.6 + CCI-000366 + CCI-000778 + CCI-001958 + 164.308(a)(3)(i) + 164.308(a)(3)(ii)(A) + 164.310(d)(1) + 164.310(d)(2) + 164.312(a)(1) + 164.312(a)(2)(iv) + 164.312(b) + CM-7(a) + CM-7(b) + CM-6(a) + MP-7 + PR.AC-1 + PR.AC-3 + PR.AC-6 + PR.AC-7 + SRG-OS-000114-GPOS-00059 + SRG-OS-000378-GPOS-00163 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.18.1.4 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Disabling the automounter permits the administrator to +statically control filesystem mounting through /etc/fstab. + +Additionally, automatically mounting filesystems permits easy introduction of +unknown devices, thereby facilitating malicious activity. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'autofs.service' +"$SYSTEMCTL_EXEC" disable 'autofs.service' +"$SYSTEMCTL_EXEC" mask 'autofs.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^autofs.socket'; then + "$SYSTEMCTL_EXEC" stop 'autofs.socket' + "$SYSTEMCTL_EXEC" mask 'autofs.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'autofs.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service autofs + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service autofs + systemd: + name: autofs.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"autofs.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_autofs_disabled + +- name: Unit Socket Exists - autofs.socket + command: systemctl list-unit-files autofs.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_autofs_disabled + +- name: Disable socket autofs + systemd: + name: autofs.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"autofs.socket" in socket_file_exists.stdout_lines[1]' + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_autofs_disabled + + include disable_autofs + +class disable_autofs { + service {'autofs': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: false + name: autofs.service + + + + + + + + + + Disable Kernel Support for USB via Bootloader Configuration + All USB support can be disabled by adding the nousb +argument to the kernel's boot loader configuration. To do so, +append "nousb" to the kernel line in /etc/default/grub as shown: +kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb + Disabling all kernel support for USB will cause problems for systems +with USB-based keyboards, mice, or printers. This configuration is +infeasible for systems which require USB devices, which is common. + CCI-001250 + 164.308(a)(3)(i) + 164.308(a)(3)(ii)(A) + 164.310(d)(1) + 164.310(d)(2) + 164.312(a)(1) + 164.312(a)(2)(iv) + 164.312(b) + MP-7 + CM-6(a) + PR.AC-3 + PR.AC-6 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.4 + SR 1.5 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.2 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + 12 + 16 + Disabling the USB subsystem within the Linux kernel at system boot will +protect against potentially malicious USB devices, although it is only practical +in specialized systems. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +# Correct the form of default kernel command line in /etc/default/grub +if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub; +then + # Edit configuration setting + # Append 'nousb' argument to /etc/default/grub (if not present yet) + sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub + # Edit runtime setting + # Correct the form of kernel command line for each installed kernel in the bootloader + /sbin/grubby --update-kernel=ALL --args="nousb" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + Disable Mounting of udf + +To configure the system to prevent the udf +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install udf /bin/true +This effectively prevents usage of this uncommon filesystem. + +The udf filesystem type is the universal disk format +used to implement the ISO/IEC 13346 and ECMA-167 specifications. +This is an open vendor filesystem type for data storage on a broad +range of media. This filesystem type is neccessary to support +writing DVDs and newer optical disc formats. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Removing support for unneeded filesystem types reduces the local +attack surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install udf" /etc/modprobe.d/udf.conf ; then + sed -i 's/^install udf.*/install udf /bin/true/g' /etc/modprobe.d/udf.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/udf.conf + echo "install udf /bin/true" >> /etc/modprobe.d/udf.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'udf' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/udf.conf + regexp: udf + line: install udf /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_udf_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20udf%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_udf_disabled.conf + overwrite: true + + + + + + + Disable Mounting of vFAT filesystems + +To configure the system to prevent the vfat +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install vfat /bin/true +This effectively prevents usage of this uncommon filesystem. + +The vFAT filesystem format is primarily used on older +windows systems and portable USB drives or flash modules. It comes +in three types FAT12, FAT16, and FAT32 +all of which are supported by the vfat kernel module. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Removing support for unneeded filesystems reduces the local attack +surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install vfat" /etc/modprobe.d/vfat.conf ; then + sed -i 's/^install vfat.*/install vfat /bin/true/g' /etc/modprobe.d/vfat.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/vfat.conf + echo "install vfat /bin/true" >> /etc/modprobe.d/vfat.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'vfat' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/vfat.conf + regexp: vfat + line: install vfat /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_vfat_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20vfat%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_vfat_disabled.conf + overwrite: true + + + + + + + Disable Mounting of hfsplus + +To configure the system to prevent the hfsplus +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install hfsplus /bin/true +This effectively prevents usage of this uncommon filesystem. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Linux kernel modules which implement filesystems that are not needed by the +local system should be disabled. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install hfsplus" /etc/modprobe.d/hfsplus.conf ; then + sed -i 's/^install hfsplus.*/install hfsplus /bin/true/g' /etc/modprobe.d/hfsplus.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfsplus.conf + echo "install hfsplus /bin/true" >> /etc/modprobe.d/hfsplus.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'hfsplus' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/hfsplus.conf + regexp: hfsplus + line: install hfsplus /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_hfsplus_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20hfsplus%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_hfsplus_disabled.conf + overwrite: true + + + + + + + Disable Mounting of jffs2 + +To configure the system to prevent the jffs2 +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install jffs2 /bin/true +This effectively prevents usage of this uncommon filesystem. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Linux kernel modules which implement filesystems that are not needed by the +local system should be disabled. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install jffs2" /etc/modprobe.d/jffs2.conf ; then + sed -i 's/^install jffs2.*/install jffs2 /bin/true/g' /etc/modprobe.d/jffs2.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/jffs2.conf + echo "install jffs2 /bin/true" >> /etc/modprobe.d/jffs2.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'jffs2' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/jffs2.conf + regexp: jffs2 + line: install jffs2 /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_jffs2_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20jffs2%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_jffs2_disabled.conf + overwrite: true + + + + + + + Disable Modprobe Loading of USB Storage Driver + To prevent USB storage devices from being used, configure the kernel module loading system +to prevent automatic loading of the USB storage driver. + +To configure the system to prevent the usb-storage +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install usb-storage /bin/true +This will prevent the modprobe program from loading the usb-storage +module, but will not prevent an administrator (or another program) from using the +insmod program to load the module manually. + 3.1.21 + CCI-000366 + CCI-000778 + CCI-001958 + 164.308(a)(3)(i) + 164.308(a)(3)(ii)(A) + 164.310(d)(1) + 164.310(d)(2) + 164.312(a)(1) + 164.312(a)(2)(iv) + 164.312(b) + CM-7(a) + CM-7(b) + CM-6(a) + MP-7 + PR.AC-1 + PR.AC-3 + PR.AC-6 + PR.AC-7 + SRG-OS-000114-GPOS-00059 + SRG-OS-000378-GPOS-00163 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.18.1.4 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + USB storage devices such as thumb drives can be used to introduce +malicious software. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install usb-storage" /etc/modprobe.d/usb-storage.conf ; then + sed -i 's/^install usb-storage.*/install usb-storage /bin/true/g' /etc/modprobe.d/usb-storage.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/usb-storage.conf + echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'usb-storage' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/usb-storage.conf + regexp: usb-storage + line: install usb-storage /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.21 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - kernel_module_usb-storage_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20usb-storage%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_usb-storage_disabled.conf + overwrite: true + + + + + + + + + + Disable Mounting of squashfs + +To configure the system to prevent the squashfs +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install squashfs /bin/true +This effectively prevents usage of this uncommon filesystem. + +The squashfs filesystem type is a compressed read-only Linux +filesystem embedded in small footprint systems (similar to +cramfs). A squashfs image can be used without having +to first decompress the image. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Removing support for unneeded filesystem types reduces the local attack +surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install squashfs" /etc/modprobe.d/squashfs.conf ; then + sed -i 's/^install squashfs.*/install squashfs /bin/true/g' /etc/modprobe.d/squashfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/squashfs.conf + echo "install squashfs /bin/true" >> /etc/modprobe.d/squashfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'squashfs' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/squashfs.conf + regexp: squashfs + line: install squashfs /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_squashfs_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20squashfs%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_squashfs_disabled.conf + overwrite: true + + + + + + + Assign Password to Prevent Changes to Boot Firmware Configuration + Assign a password to the system boot firmware (historically called BIOS on PC +systems) to require a password for any configuration changes. + Assigning a password to the system boot firmware prevents anyone +with physical access from configuring the system to boot +from local media and circumvent the operating system's access controls. +For systems in physically secure locations, such as +a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed +against the risk of administrative personnel being unable to conduct recovery operations in +a timely fashion. + + + + Disable Mounting of hfs + +To configure the system to prevent the hfs +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install hfs /bin/true +This effectively prevents usage of this uncommon filesystem. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Linux kernel modules which implement filesystems that are not needed by the +local system should be disabled. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install hfs" /etc/modprobe.d/hfs.conf ; then + sed -i 's/^install hfs.*/install hfs /bin/true/g' /etc/modprobe.d/hfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/hfs.conf + echo "install hfs /bin/true" >> /etc/modprobe.d/hfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'hfs' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/hfs.conf + regexp: hfs + line: install hfs /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_hfs_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20hfs%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_hfs_disabled.conf + overwrite: true + + + + + + + Disable Mounting of freevxfs + +To configure the system to prevent the freevxfs +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install freevxfs /bin/true +This effectively prevents usage of this uncommon filesystem. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Linux kernel modules which implement filesystems that are not needed by the +local system should be disabled. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install freevxfs" /etc/modprobe.d/freevxfs.conf ; then + sed -i 's/^install freevxfs.*/install freevxfs /bin/true/g' /etc/modprobe.d/freevxfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/freevxfs.conf + echo "install freevxfs /bin/true" >> /etc/modprobe.d/freevxfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'freevxfs' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/freevxfs.conf + regexp: freevxfs + line: install freevxfs /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_freevxfs_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20freevxfs%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_freevxfs_disabled.conf + overwrite: true + + + + + + + Disable Booting from USB Devices in Boot Firmware + Configure the system boot firmware (historically called BIOS on PC +systems) to disallow booting from USB drives. + CCI-001250 + MP-7 + CM-7(b) + CM-6(a) + PR.AC-3 + PR.AC-6 + SR 1.1 + SR 1.13 + SR 1.2 + SR 1.4 + SR 1.5 + SR 1.9 + SR 2.1 + SR 2.6 + 4.3.3.2.2 + 4.3.3.5.2 + 4.3.3.6.6 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + 12 + 16 + Booting a system from a USB device would allow an attacker to +circumvent any security measures provided by the operating system. Attackers +could mount partitions and modify the configuration of the OS. + + + + Disable Mounting of cramfs + +To configure the system to prevent the cramfs +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install cramfs /bin/true +This effectively prevents usage of this uncommon filesystem. + +The cramfs filesystem type is a compressed read-only +Linux filesystem embedded in small footprint systems. A +cramfs image can be used without having to first +decompress the image. + 3.4.6 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Removing support for unneeded filesystem types reduces the local attack surface +of the server. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install cramfs" /etc/modprobe.d/cramfs.conf ; then + sed -i 's/^install cramfs.*/install cramfs /bin/true/g' /etc/modprobe.d/cramfs.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/cramfs.conf + echo "install cramfs /bin/true" >> /etc/modprobe.d/cramfs.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'cramfs' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/cramfs.conf + regexp: cramfs + line: install cramfs /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_cramfs_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20cramfs%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_cramfs_disabled.conf + overwrite: true + + + + + + + + + + + Restrict Programs from Dangerous Execution Patterns + The recommendations in this section are designed to +ensure that the system's features to protect against potentially +dangerous program execution are activated. +These protections are applied at the system initialization or +kernel level, and defend against certain types of badly-configured +or compromised programs. + + Disable storing core dumps + To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/false +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + CCI-000366 + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is generally useful +only for developers trying to debug problems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.core_pattern +# +/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false" + +# +# If kernel.core_pattern present in /etc/sysctl.conf, change value to "|/bin/false" +# else, add "kernel.core_pattern = |/bin/false" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.core_pattern' "|/bin/false" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.core_pattern is set to |/bin/false + sysctl: + name: kernel.core_pattern + value: '|/bin/false' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_core_pattern + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf + overwrite: true + + + + + + + + + + Disallow kernel profiling by unprivileged users + To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 + BP28(R23) + FMT_SMF_EXT.1 + SRG-OS-000132-GPOS-00067 + SRG-OS-000138-GPOS-00069 + CCI-001090 + Kernel profiling can reveal sensitive information about kernel behaviour. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.perf_event_paranoid +# +/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2" + +# +# If kernel.perf_event_paranoid present in /etc/sysctl.conf, change value to "2" +# else, add "kernel.perf_event_paranoid = 2" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.perf_event_paranoid' "2" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.perf_event_paranoid is set to 2 + sysctl: + name: kernel.perf_event_paranoid + value: '2' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_perf_event_paranoid + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.perf_event_paranoid%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf + overwrite: true + + + + + + + + + + Disable loading and unloading of kernel modules + To set the runtime status of the kernel.modules_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.modules_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.modules_disabled = 1 + This rule doesn't come with Bash remediation. Remediating this rule during the installation process disrupts the install and boot process. + BP28(R24) + Malicious kernel modules can have a significant impact on system security and +availability. Disabling loading of kernel modules prevents this threat. Note +that once this option has been set, it cannot be reverted without doing a +system reboot. Make sure that all needed kernel modules are loaded before +setting this option. + + - name: Ensure sysctl kernel.modules_disabled is set to 1 + sysctl: + name: kernel.modules_disabled + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_modules_disabled + + + + + + + + + + Disable Kernel Image Loading + To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000366-GPOS-00153 + CCI-001749 + Disabling kexec_load allows greater control of the kernel memory. +It makes it impossible to load another kernel image after it has been disabled. + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.kexec_load_disabled +# +/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1" + +# +# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.kexec_load_disabled' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.kexec_load_disabled is set to 1 + sysctl: + name: kernel.kexec_load_disabled + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_kexec_load_disabled + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.kexec_load_disabled%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf + overwrite: true + + + + + + + + + + Restrict usage of ptrace to descendant processes + To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 + BP28(R25) + SRG-OS-000132-GPOS-00067 + SRG-OS-000480-GPOS-00227 + CCI-000366 + Unrestricted usage of ptrace allows compromised binaries to run ptrace +on another processes of the user. Like this, the attacker can steal +sensitive information from the target processes (e.g. SSH sessions, web browser, ...) +without any additional assistance from the user (i.e. without resorting to phishing). + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.yama.ptrace_scope +# +/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1" + +# +# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.yama.ptrace_scope' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.yama.ptrace_scope is set to 1 + sysctl: + name: kernel.yama.ptrace_scope + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_yama_ptrace_scope + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.yama.ptrace_scope%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf + overwrite: true + + + + + + + + + + Prevent applications from mapping low portion of virtual memory + To set the runtime status of the vm.mmap_min_addr kernel parameter, run the following command: $ sudo sysctl -w vm.mmap_min_addr=65536 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: vm.mmap_min_addr = 65536 + BP28(R23) + The vm.mmap_min_addr parameter specifies the minimum virtual +address that a process is allowed to mmap. Allowing a process to mmap low +portion of virtual memory can have security implications such as such as +heightened risk of kernel null pointer dereference defects. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for vm.mmap_min_addr +# +/sbin/sysctl -q -n -w vm.mmap_min_addr="65536" + +# +# If vm.mmap_min_addr present in /etc/sysctl.conf, change value to "65536" +# else, add "vm.mmap_min_addr = 65536" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^vm.mmap_min_addr' "65536" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl vm.mmap_min_addr is set to 65536 + sysctl: + name: vm.mmap_min_addr + value: '65536' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_vm_mmap_min_addr + + + + + + + + + + Harden the operation of the BPF just-in-time compiler + To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + When hardened, the extended Berkeley Packet Filter just-in-time compiler +will randomize any kernel addresses in the BPF programs and maps, +and will not expose the JIT addresses in /proc/kallsyms. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for net.core.bpf_jit_harden +# +/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2" + +# +# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2" +# else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.core.bpf_jit_harden' "2" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl net.core.bpf_jit_harden is set to 2 + sysctl: + name: net.core.bpf_jit_harden + value: '2' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_core_bpf_jit_harden + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.core.bpf_jit_harden%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf + overwrite: true + + + + + + + + + + Disable the use of user namespaces + To set the runtime status of the user.max_user_namespaces kernel parameter, +run the following command: +$ sudo sysctl -w user.max_user_namespaces=0 + +To make sure that the setting is persistent, +add the following line to a file in the directory /etc/sysctl.d: +user.max_user_namespaces = 0 +When containers are deployed on the machine, the value should be set +to large non-zero value. + This configuration baseline was created to deploy the base operating system for general purpose +workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, +it is expected that user.max_user_namespaces will be enabled. + FMT_SMF_EXT.1 + SC-39 + CM-6(a) + SRG-OS-000480-GPOS-00227 + CCI-000366 + User namespaces are used primarily for Linux containers. The value 0 +disallows the use of user namespaces. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for user.max_user_namespaces +# +/sbin/sysctl -q -n -w user.max_user_namespaces="0" + +# +# If user.max_user_namespaces present in /etc/sysctl.conf, change value to "0" +# else, add "user.max_user_namespaces = 0" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^user.max_user_namespaces' "0" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl user.max_user_namespaces is set to 0 + sysctl: + name: user.max_user_namespaces + value: '0' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-39 + - disable_strategy + - low_complexity + - low_severity + - medium_disruption + - reboot_required + - sysctl_user_max_user_namespaces + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,user.max_user_namespaces%20%3D%200%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf + overwrite: true + + + + + + + + + + Configure maximum number of process identifiers + To set the runtime status of the kernel.pid_max kernel parameter, run the following command: $ sudo sysctl -w kernel.pid_max=65536 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.pid_max = 65536 + BP28(R23) + The kernel.pid_max parameter configures upper limit on process +identifiers (PID). If this number is not high enough, it might happen that +forking of new processes is not possible, because all available PIDs are +exhausted. Increasing this number enhances availability. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.pid_max +# +/sbin/sysctl -q -n -w kernel.pid_max="65536" + +# +# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536" +# else, add "kernel.pid_max = 65536" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.pid_max' "65536" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.pid_max is set to 65536 + sysctl: + name: kernel.pid_max + value: '65536' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_pid_max + + + + + + + + + + Restrict Access to Kernel Message Buffer + To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 + 3.1.5 + CCI-001314 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + SI-11(a) + SI-11(b) + BP28(R23) + SRG-OS-000132-GPOS-00067 + SRG-OS-000138-GPOS-00069 + Unprivileged access to the kernel syslog can expose sensitive kernel +address information. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.dmesg_restrict +# +/sbin/sysctl -q -n -w kernel.dmesg_restrict="1" + +# +# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.dmesg_restrict' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.dmesg_restrict is set to 1 + sysctl: + name: kernel.dmesg_restrict + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.5 + - NIST-800-53-SI-11(a) + - NIST-800-53-SI-11(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_dmesg_restrict + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.dmesg_restrict%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf + overwrite: true + + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 + FMT_SMF_EXT.1 + SRG-OS-000132-GPOS-00067 + SRG-OS-000480-GPOS-00227 + CCI-000366 + Loading and accessing the packet filters programs and maps using the bpf() +syscall has the potential of revealing sensitive information about the kernel state. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.unprivileged_bpf_disabled +# +/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1" + +# +# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.unprivileged_bpf_disabled' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.unprivileged_bpf_disabled is set to 1 + sysctl: + name: kernel.unprivileged_bpf_disabled + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_unprivileged_bpf_disabled + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.unprivileged_bpf_disabled%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf + overwrite: true + + + + + + + + + + Limit sampling frequency of the Perf system + To set the runtime status of the kernel.perf_event_max_sample_rate kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_max_sample_rate=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_max_sample_rate = 1 + BP28(R23) + The kernel.perf_event_max_sample_rate parameter configures maximum +frequency of collecting of samples for the Perf system. It is expressed in +samples per second. Restricting usage of Perf system decreases risk +of potential availability problems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.perf_event_max_sample_rate +# +/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1" + +# +# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.perf_event_max_sample_rate' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.perf_event_max_sample_rate is set to 1 + sysctl: + name: kernel.perf_event_max_sample_rate + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_perf_event_max_sample_rate + + + + + + + + + + Limit CPU consumption of the Perf system + To set the runtime status of the kernel.perf_cpu_time_max_percent kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_cpu_time_max_percent=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_cpu_time_max_percent = 1 + BP28(R23) + The kernel.perf_cpu_time_max_percent configures a treshold of +maximum percentile of CPU that can be used by Perf system. Restricting usage +of Perf system decreases risk of potential availability problems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.perf_cpu_time_max_percent +# +/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1" + +# +# If kernel.perf_cpu_time_max_percent present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.perf_cpu_time_max_percent = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.perf_cpu_time_max_percent' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.perf_cpu_time_max_percent is set to 1 + sysctl: + name: kernel.perf_cpu_time_max_percent + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_perf_cpu_time_max_percent + + + + + + + + + + Disallow magic SysRq key + To set the runtime status of the kernel.sysrq kernel parameter, run the following command: $ sudo sysctl -w kernel.sysrq=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.sysrq = 0 + BP28(R23) + The Magic SysRq key allows sending certain commands directly to the running +kernel. It can dump various system and process information, potentially +revealing sensitive information. It can also reboot or shutdown the machine, +disturbing its availability. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.sysrq +# +/sbin/sysctl -q -n -w kernel.sysrq="0" + +# +# If kernel.sysrq present in /etc/sysctl.conf, change value to "0" +# else, add "kernel.sysrq = 0" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.sysrq' "0" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.sysrq is set to 0 + sysctl: + name: kernel.sysrq + value: '0' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_sysrq + + + + + + + + + + Memory Poisoning + Memory Poisoning consists of writing a special value to uninitialized or freed memory. +Poisoning can be used as a mechanism to prevent leak of information and detection of +corrupted memory. + + + Enable page allocator poisoning + To enable poisoning of free pages, +add the argument page_poison=1 to the default +GRUB 2 command line for the Linux operating system in +/etc/default/grub, in the manner below: +GRUB_CMDLINE_LINUX="page_poison=1" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command as root: +~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: + +~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + SRG-OS-000480-GPOS-00227 + SRG-OS-000134-GPOS-00068 + CM-6(a) + CCI-001084 + Poisoning writes an arbitrary value to freed pages, so any modification or +reference to that page after being freed or before being initialized will be +detected and prevented. +This prevents many types of use-after-free vulnerabilities at little performance cost. +Also prevents leak of data and detection of corrupted memory. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?page_poison=1(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_poison=1" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - grub2_page_poison_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - grub2_page_poison_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} page_poison=1" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?page_poison=1(?:\s.*)?$', + multiline=True) is none + tags: + - NIST-800-53-CM-6(a) + - grub2_page_poison_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Enable SLUB/SLAB allocator poisoning + To enable poisoning of SLUB/SLAB objects, +add the argument slub_debug=P to the default +GRUB 2 command line for the Linux operating system in +/etc/default/grub, in the manner below: +GRUB_CMDLINE_LINUX="slub_debug=P" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command as root: +~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: + +~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + SRG-OS-000433-GPOS-00192 + SRG-OS-000134-GPOS-00068 + CM-6(a) + CCI-001084 + Poisoning writes an arbitrary value to freed objects, so any modification or +reference to that object after being freed or before being initialized will be +detected and prevented. +This prevents many types of use-after-free vulnerabilities at little performance cost. +Also prevents leak of data and detection of corrupted memory. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?slub_debug=P(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug=P" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - grub2_slub_debug_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + tags: + - NIST-800-53-CM-6(a) + - grub2_slub_debug_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} slub_debug=P" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?slub_debug=P(?:\s.*)?$', + multiline=True) is none + tags: + - NIST-800-53-CM-6(a) + - grub2_slub_debug_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + + Enable Execute Disable (XD) or No Execute (NX) Support on +x86 Systems + Recent processors in the x86 family support the +ability to prevent code execution on a per memory page basis. +Generically and on AMD processors, this ability is called No +Execute (NX), while on Intel processors it is called Execute +Disable (XD). This ability can help prevent exploitation of buffer +overflow vulnerabilities and should be activated whenever possible. +Extra steps must be taken to ensure that this protection is +enabled, particularly on 32-bit x86 systems. Other processors, such +as Itanium and POWER, have included such support since inception +and the standard kernel for those platforms supports the +feature. This is enabled by default on the latest Red Hat and +Fedora systems if supported by the hardware. + + Install PAE Kernel on Supported 32-bit x86 Systems + Systems that are using the 64-bit x86 kernel package +do not need to install the kernel-PAE package because the 64-bit +x86 kernel already includes this support. However, if the system is +32-bit and also supports the PAE and NX features as +determined in the previous section, the kernel-PAE package should +be installed to enable XD or NX support. +The kernel-PAE package can be installed with the following command: + +$ sudo dnf install kernel-PAE +The installation process should also have configured the +bootloader to load the new kernel at boot. Verify this after reboot +and modify /etc/default/grub if necessary. + The kernel-PAE package should not be +installed on older systems that do not support the XD or NX bit, as +8this may prevent them from booting.8 + 3.1.7 + CM-6(a) + PR.IP-1 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + BP28(R9) + On 32-bit systems that support the XD or NX bit, the vendor-supplied +PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. + + + + + + + Enable NX or XD Support in the BIOS + Reboot the system and enter the BIOS or Setup configuration menu. +Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located +under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) +on AMD-based systems. + 3.1.7 + SC-39 + CM-6(a) + PR.IP-1 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + BP28(R9) + Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will +allow users to turn the feature on or off at will. + + + + + Disable Core Dumps + A core dump file is the memory image of an executable +program when it was terminated by the operating system due to +errant behavior. In most cases, only software developers +legitimately need to access these files. The core dump files may +also contain sensitive information, or unnecessarily occupy large +amounts of disk space. + +Once a hard limit is set in /etc/security/limits.conf, or +to a file within the /etc/security/limits.d/ directory, a +user cannot increase that limit within his or her own session. If access +to core dumps is required, consider restricting them to only +certain users or groups. See the limits.conf man page for more +information. + +The core dumps of setuid programs are further protected. The +sysctl variable fs.suid_dumpable controls whether +the kernel allows core dumps from these programs at all. The default +value of 0 is recommended. + + Disable acquiring, saving, and processing core dumps + The systemd-coredump.socket unit is a socket activation of +the systemd-coredump@.service which processes core dumps. +By masking the unit, core dump processing is disabled. + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + CCI-000366 + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data +and is generally useful only for developers trying to debug problems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'systemd-coredump.service' +"$SYSTEMCTL_EXEC" disable 'systemd-coredump.service' +"$SYSTEMCTL_EXEC" mask 'systemd-coredump.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^systemd-coredump.socket'; then + "$SYSTEMCTL_EXEC" stop 'systemd-coredump.socket' + "$SYSTEMCTL_EXEC" mask 'systemd-coredump.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'systemd-coredump.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service systemd-coredump + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service systemd-coredump + systemd: + name: systemd-coredump.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"systemd-coredump.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_systemd-coredump_disabled + +- name: Unit Socket Exists - systemd-coredump.socket + command: systemctl list-unit-files systemd-coredump.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_systemd-coredump_disabled + +- name: Disable socket systemd-coredump + systemd: + name: systemd-coredump.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"systemd-coredump.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_systemd-coredump_disabled + + include disable_systemd-coredump + +class disable_systemd-coredump { + service {'systemd-coredump': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: systemd-coredump.service + enabled: false + mask: true + - name: systemd-coredump.socket + enabled: false + mask: true + + + + + + + + + + Disable storing core dump + The Storage option in [Coredump] section +of /etc/systemd/coredump.conf +can be set to none to disable storing core dumps permanently. + If the /etc/systemd/coredump.conf file +does not already contain the [Coredump] section, +the value will not be configured correctly. + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + CCI-000366 + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data +and is generally useful only for developers or system operators trying to +debug problems. Enabling core dumps on production systems is not recommended, +however there may be overriding operational requirements to enable advanced +debuging. Permitting temporary enablement of core dumps during such situations +should be reviewed through local needs and policy. + if [ -e "/etc/systemd/coredump.conf" ] ; then + LC_ALL=C sed -i "/^\s*Storage\s*=\s*/Id" "/etc/systemd/coredump.conf" +else + touch "/etc/systemd/coredump.conf" +fi +cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" +# Insert at the end of the file +printf '%s\n' "Storage=none" >> "/etc/systemd/coredump.conf" +# Clean up after ourselves. +rm "/etc/systemd/coredump.conf.bak" + + - name: Disable storing core dump + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*Storage\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*Storage\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*Storage\s*=\s* + line: Storage=none + state: present + tags: + - coredump_disable_storage + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A + mode: 0644 + path: /etc/systemd/coredump.conf + overwrite: true + + + + + + + + + + Disable Core Dumps for All Users + To disable core dumps for all users, add the following line to +/etc/security/limits.conf, or to a file within the +/etc/security/limits.d/ directory: +* hard core 0 + DE.CM-1 + PR.DS-4 + SR 6.2 + SR 7.1 + SR 7.2 + APO13.01 + BAI04.04 + DSS01.03 + DSS03.05 + DSS05.07 + A.12.1.3 + A.17.2.1 + 1 + 12 + 13 + 15 + 16 + 2 + 7 + 8 + SRG-OS-000480-GPOS-00227 + CCI-000366 + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data and is generally useful +only for developers trying to debug problems. + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - disable_users_coredumps + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: disable core dumps with limits + lineinfile: + dest: /etc/security/limits.conf + regexp: ^[^#].*core + line: '* hard core 0' + create: true + when: '"pam" in ansible_facts.packages' + tags: + - disable_users_coredumps + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200 + mode: 0644 + path: /etc/security/limits.d/75-disable_users_coredumps.conf + overwrite: true + + + + + + + + + + Disable core dump backtraces + The ProcessSizeMax option in [Coredump] section +of /etc/systemd/coredump.conf +specifies the maximum size in bytes of a core which will be processed. +Core dumps exceeding this size may be stored, but the backtrace will not +be generated. + If the /etc/systemd/coredump.conf file +does not already contain the [Coredump] section, +the value will not be configured correctly. + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + CCI-000366 + A core dump includes a memory image taken at the time the operating system +terminates an application. The memory image could contain sensitive data +and is generally useful only for developers or system operators trying to +debug problems. + +Enabling core dumps on production systems is not recommended, +however there may be overriding operational requirements to enable advanced +debuging. Permitting temporary enablement of core dumps during such situations +should be reviewed through local needs and policy. + if [ -e "/etc/systemd/coredump.conf" ] ; then + LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf" +else + touch "/etc/systemd/coredump.conf" +fi +cp "/etc/systemd/coredump.conf" "/etc/systemd/coredump.conf.bak" +# Insert at the end of the file +printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf" +# Clean up after ourselves. +rm "/etc/systemd/coredump.conf.bak" + + - name: Disable core dump backtraces + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*ProcessSizeMax\s*=\s* + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*ProcessSizeMax\s*=\s* + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/systemd/coredump.conf + lineinfile: + path: /etc/systemd/coredump.conf + create: false + regexp: ^\s*ProcessSizeMax\s*=\s* + line: ProcessSizeMax=0 + state: present + tags: + - coredump_disable_backtraces + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A + mode: 0644 + path: /etc/systemd/coredump.conf + overwrite: true + + + + + + + + + + Disable Core Dumps for SUID programs + To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: $ sudo sysctl -w fs.suid_dumpable=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.suid_dumpable = 0 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + SI-11(a) + SI-11(b) + BP28(R23) + The core dump of a setuid program is more likely to contain +sensitive data, as the program itself runs with greater privileges than the +user who initiated execution of the program. Disabling the ability for any +setuid program to write a core file decreases the risk of unauthorized access +of such data. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for fs.suid_dumpable +# +/sbin/sysctl -q -n -w fs.suid_dumpable="0" + +# +# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" +# else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^fs.suid_dumpable' "0" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl fs.suid_dumpable is set to 0 + sysctl: + name: fs.suid_dumpable + value: '0' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-SI-11(a) + - NIST-800-53-SI-11(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_fs_suid_dumpable + + + + + + + + + + + Enable ExecShield + ExecShield describes kernel features that provide +protection against exploitation of memory corruption errors such as buffer +overflows. These features include random placement of the stack and other +memory regions, prevention of execution in memory that should only hold data, +and special handling of text buffers. These protections are enabled by default +on 32-bit systems and controlled through sysctl variables +kernel.exec-shield and kernel.randomize_va_space. On the latest +64-bit systems, kernel.exec-shield cannot be enabled or disabled with +sysctl. + + Restrict Exposed Kernel Pointer Addresses Access + To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 + BP28(R23) + SC-30 + SC-30(2) + SC-30(5) + CM-6(a) + SRG-OS-000132-GPOS-00067 + SRG-OS-000433-GPOS-00192 + SRG-OS-000480-GPOS-00227 + CCI-000366 + Exposing kernel pointers (through procfs or seq_printf()) exposes +kernel writeable structures that can contain functions pointers. If a write vulnereability occurs +in the kernel allowing a write access to any of this structure, the kernel can be compromise. This +option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, +replacing them with 0. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.kptr_restrict +# +/sbin/sysctl -q -n -w kernel.kptr_restrict="1" + +# +# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1" +# else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.kptr_restrict' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.kptr_restrict is set to 1 + sysctl: + name: kernel.kptr_restrict + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) + - NIST-800-53-SC-30(5) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_kptr_restrict + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.kptr_restrict%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf + overwrite: true + + + + + + + + + + Enable ExecShield via sysctl + By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield is +enabled and can only be disabled if the hardware does not support +ExecShield or is disabled in /etc/default/grub. For Red Hat +Enterprise Linux 7 32-bit systems, sysctl can be used to enable +ExecShield. + 3.1.7 + CCI-002530 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + SC-39 + CM-6(a) + PR.PT-4 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + APO13.01 + DSS05.02 + A.13.1.1 + A.13.2.1 + A.14.1.3 + 12 + 15 + 8 + SRG-OS-000433-GPOS-00192 + BP28(R9) + ExecShield uses the segmentation feature on all x86 systems to prevent +execution in memory higher than a certain address. It writes an address as +a limit in the code segment descriptor, to control where code can be +executed, on a per-process basis. When the kernel places a process's memory +regions such as the stack and heap higher than this address, the hardware +prevents execution in that address range. This is enabled by default on the +latest Red Hat and Fedora systems if supported by the hardware. + + + + + + + + + + Enable Randomized Layout of Virtual Address Space + To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 + 3.1.7 + CCI-000366 + CCI-002824 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + SC-30 + SC-30(2) + CM-6(a) + SRG-OS-000433-GPOS-00193 + SRG-OS-000480-GPOS-00227 + BP28(R23) + Address space layout randomization (ASLR) makes it more difficult for an +attacker to predict the location of attack code they have introduced into a +process's address space during an attempt at exploitation. Additionally, +ASLR makes it more difficult for an attacker to know the location of +existing code in order to re-purpose it using return oriented programming +(ROP) techniques. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for kernel.randomize_va_space +# +/sbin/sysctl -q -n -w kernel.randomize_va_space="2" + +# +# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2" +# else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' "2" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl kernel.randomize_va_space is set to 2 + sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.7 + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-30 + - NIST-800-53-SC-30(2) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_kernel_randomize_va_space + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,kernel.randomize_va_space%3D2%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf + overwrite: true + + + + + + + + + + + Daemon Umask + The umask is a per-process setting which limits +the default permissions for creation of new files and directories. +The system includes initialization scripts which set the default umask +for system daemons. + + daemon umask + Enter umask for daemons + 022 + 027 + 022 + + + Set Daemon Umask + The file /etc/init.d/functions includes initialization +parameters for most or all daemons started at boot time. Many daemons +on the system already individually restrict themselves to +a umask of 077 in their own init scripts. By default, the umask of +022 is set which prevents creation of group- or world-writable files. +To set the umask for daemons expected by the profile, edit the following line: +umask + Setting the umask to too restrictive a setting can cause serious errors at +runtime. + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The umask influences the permissions assigned to files created by a +process at run time. An unnecessarily permissive umask could result in files +being created with insecure permissions. + + + + + + + + + + + + Verify Permissions on Important Files and +Directories + Permissions for many files on a system must be set +restrictively to ensure sensitive information is properly protected. +This section discusses important +permission restrictions which can be verified +to ensure that no harmful discrepancies have +arisen. + + Verify that local System.map file (if exists) is readable only by root + Files containing sensitive informations should be protected by restrictive + permissions. Most of the time, there is no need that these files need to be read by any non-root user + +To properly set the permissions of /boot/System.map-*, run the command: +$ sudo chmod 0600 /boot/System.map-* + BP28(R13) + The System.map file contains information about kernel symbols and + can give some hints to generate local exploitation. + + + + + + + + + Ensure All World-Writable Directories Are Owned by a System Account + All directories in local partitions which are +world-writable should be owned by root or another +system account. If any world-writable directories are not +owned by a system account, this should be investigated. +Following this, the files should be deleted or assigned to an +appropriate owner. + CCI-000366 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Allowing a user account to own a world-writable directory is +undesirable because it allows the owner of that directory to remove +or replace any files that may be placed in the directory by other +users. + + + + + + + + + Ensure All World-Writable Directories Are Group Owned by a System Account + All directories in local partitions which are +world-writable should be group owned by root or another +system account. If any world-writable directories are not +group owned by a system account, this should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. + CCI-000366 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Allowing a user account to group own a world-writable directory is +undesirable because it allows the owner of that directory to remove +or replace any files that may be placed in the directory by other +users. + + + + + + + + + Ensure No World-Writable Files Exist + It is generally a good idea to remove global (other) write +access to a file when it is discovered. However, check with +documentation for specific applications before making changes. +Also, monitor for recurring world-writable files, as these may be +symptoms of a misconfigured application or user account. Finally, +this applies to real files and not virtual files that are a part of +pseudo file systems such as sysfs or procfs. + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R40) + Data in world-writable files can be modified by any +user on the system. In almost all circumstances, files can be +configured using a combination of user and group permissions to +support whatever legitimate access is needed without the risk +caused by world-writable files. + +find / -xdev -type f -perm -002 -exec chmod o-w {} \; + + + + + + + + + + Ensure All Files Are Owned by a User + If any files are not owned by a user, then the +cause of their lack of ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate user. The following command will discover and print +any files on local partitions which do not belong to a valid user: +$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser +To search all filesystems on a system including network mounted +filesystems the following command can be run manually for each partition: +$ sudo find PARTITION -xdev -nouser + For this rule to evaluate centralized user accounts, getent must be working properly +so that running the command getent passwd returns a list of all users in your organization. +If using the System Security Services Daemon (SSSD), enumerate = true must be configured +in your organization's domain to return a complete list of users + Enabling this rule will result in slower scan times depending on the size of your organization +and number of centralized users. + CCI-000366 + CCI-002165 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.AC-6 + PR.DS-5 + PR.IP-1 + PR.PT-3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 5.2 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO01.06 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 9 + Unowned files do not directly imply a security problem, but they are generally +a sign that something is amiss. They may +be caused by an intruder, by incorrect software installation or +draft software removal, or by failure to remove all files belonging +to a deleted account. The files should be repaired so they +will not cause problems when accounts are created in the future, +and the cause should be discovered and addressed. + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 + BP28(R23) + CM-6(a) + AC-6(1) + SRG-OS-000324-GPOS-00125 + CCI-002165 + By enabling this kernel parameter, users can no longer create soft or hard links to +files which they do not own. Disallowing such hardlinks mitigate vulnerabilities +based on insecure file system accessed by privileged programs, avoiding an +exploitation vector exploiting unsafe use of open() or creat(). + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for fs.protected_hardlinks +# +/sbin/sysctl -q -n -w fs.protected_hardlinks="1" + +# +# If fs.protected_hardlinks present in /etc/sysctl.conf, change value to "1" +# else, add "fs.protected_hardlinks = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^fs.protected_hardlinks' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl fs.protected_hardlinks is set to 1 + sysctl: + name: fs.protected_hardlinks + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_fs_protected_hardlinks + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,fs.protected_hardlinks%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf + overwrite: true + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 + BP28(R23) + CM-6(a) + AC-6(1) + SRG-OS-000324-GPOS-00125 + CCI-002165 + By enabling this kernel parameter, symbolic links are permitted to be followed +only when outside a sticky world-writable directory, or when the UID of the +link and follower match, or when the directory owner matches the symlink's owner. +Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system +accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of +open() or creat(). + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for fs.protected_symlinks +# +/sbin/sysctl -q -n -w fs.protected_symlinks="1" + +# +# If fs.protected_symlinks present in /etc/sysctl.conf, change value to "1" +# else, add "fs.protected_symlinks = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^fs.protected_symlinks' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl fs.protected_symlinks is set to 1 + sysctl: + name: fs.protected_symlinks + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_fs_protected_symlinks + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,fs.protected_symlinks%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf + overwrite: true + + + + + + + + + + Ensure All SGID Executables Are Authorized + The SGID (set group id) bit should be set only on files that were +installed via authorized means. A straightforward means of identifying +unauthorized SGID files is determine if any were not installed as part of an +RPM package, which is cryptographically verified. Investigate the origin +of any unpackaged SGID files. +This configuration check considers authorized SGID files which were installed via RPM. +It is assumed that when an individual has sudo access to install an RPM +and all packages are signed with an organizationally-recognized GPG key, +the software should be considered an approved package on the system. +Any SGID file not deployed through an RPM will be flagged for further review. + BP28(R37) + BP28(R38) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Executable files with the SGID permission run with the privileges of +the owner of the file. SGID files of uncertain provenance could allow for +unprivileged users to elevate privileges. The presence of these files should be +strictly controlled on the system. + + + + + + + + + Ensure All Files Are Owned by a Group + If any files are not owned by a group, then the +cause of their lack of group-ownership should be investigated. +Following this, the files should be deleted or assigned to an +appropriate group. The following command will discover and print +any files on local partitions which do not belong to a valid group: +$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup +To search all filesystems on a system including network mounted +filesystems the following command can be run manually for each partition: +$ sudo find PARTITION -xdev -nogroup + This rule only considers local groups. +If you have your groups defined outside /etc/group, the rule won't consider those. + CCI-000366 + CCI-002165 + CM-6(a) + AC-6(1) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.DS-5 + PR.PT-3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 5.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + APO01.06 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.02 + DSS06.03 + DSS06.06 + DSS06.10 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Unowned files do not directly imply a security problem, but they are generally +a sign that something is amiss. They may +be caused by an intruder, by incorrect software installation or +draft software removal, or by failure to remove all files belonging +to a deleted account. The files should be repaired so they +will not cause problems when accounts are created in the future, +and the cause should be discovered and addressed. + + + + + + + + + Ensure All World-Writable Directories Are Owned by root user + All directories in local partitions which are world-writable should be owned +by root. If any world-writable directories are not owned by root, this +should be investigated. Following this, the files should be deleted or +assigned to root user. + BP28(R40) + SRG-OS-000480-GPOS-00227 + CCI-000366 + Allowing a user account to own a world-writable directory is +undesirable because it allows the owner of that directory to remove +or replace any files that may be placed in the directory by other +users. + #!/bin/bash + +find / -not -fstype afs -not -fstype ceph -not -fstype cifs -not -fstype smb3 -not -fstype smbfs -not -fstype sshfs -not -fstype ncpfs -not -fstype ncp -not -fstype nfs -not -fstype nfs4 -not -fstype gfs -not -fstype gfs2 -not -fstype glusterfs -not -fstype gpfs -not -fstype pvfs2 -not -fstype ocfs2 -not -fstype lustre -not -fstype davfs -not -fstype fuse.sshfs -type d -perm -0002 -uid +0 -exec chown root {} \; + + - name: Configure excluded (non local) file systems + set_fact: + excluded_fstypes: + - afs + - ceph + - cifs + - smb3 + - smbfs + - sshfs + - ncpfs + - ncp + - nfs + - nfs4 + - gfs + - gfs2 + - glusterfs + - gpfs + - pvfs2 + - ocfs2 + - lustre + - davfs + - fuse.sshfs + tags: + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Create empty list of excluded paths + set_fact: + excluded_paths: [] + tags: + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Detect nonlocal file systems and add them to excluded paths + set_fact: + excluded_paths: '{{ excluded_paths | union([item.mount]) }}' + loop: '{{ ansible_mounts }}' + when: item.fstype in excluded_fstypes + tags: + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Find all directories excluding non-local partitions + find: + paths: / + excludes: excluded_paths + file_type: directory + hidden: true + recurse: true + register: found_dirs + tags: + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Create list of world writable directories + set_fact: + world_writable_dirs: '{{ found_dirs.files | selectattr(''woth'') | list }}' + tags: + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Change owner to root on directories which are world writable + file: + path: '{{ item.path }}' + owner: root + loop: '{{ world_writable_dirs }}' + ignore_errors: true + tags: + - dir_perms_world_writable_root_owned + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure All SUID Executables Are Authorized + The SUID (set user id) bit should be set only on files that were +installed via authorized means. A straightforward means of identifying +unauthorized SUID files is determine if any were not installed as part of an +RPM package, which is cryptographically verified. Investigate the origin +of any unpackaged SUID files. +This configuration check considers authorized SUID files which were installed via RPM. +It is assumed that when an individual has sudo access to install an RPM +and all packages are signed with an organizationally-recognized GPG key, +the software should be considered an approved package on the system. +Any SUID file not deployed through an RPM will be flagged for further review. + BP28(R37) + BP28(R38) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Executable files with the SUID permission run with the privileges of +the owner of the file. SUID files of uncertain provenance could allow for +unprivileged users to elevate privileges. The presence of these files should be +strictly controlled on the system. + + + + + + + + + Verify that All World-Writable Directories Have Sticky Bits Set + When the so-called 'sticky bit' is set on a directory, +only the owner of a given file may remove that file from the +directory. Without the sticky bit, any user with write access to a +directory may remove any file in the directory. Setting the sticky +bit prevents users from removing each other's files. In cases where +there is no reason for a directory to be world-writable, a better +solution is to remove that permission rather than to set the sticky +bit. However, if a directory is used by a particular application, +consult that application's documentation instead of blindly +changing modes. + +To set the sticky bit on a world-writable directory DIR, run the +following command: +$ sudo chmod +t DIR + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000138-GPOS-00069 + BP28(R40) + CCI-001090 + Failing to set the sticky bit on public directories allows unauthorized +users to delete files in the directory structure. + +The only authorized public directories are those temporary directories +supplied with the system, or those designed to be temporary file +repositories. The setting is normally reserved for directories used by the +system, by users for temporary file storage (such as /tmp), and +for directories requiring global read/write access. + + + + + + + + + Verify File Permissions Within Some Important Directories + Some directories contain files whose confidentiality or integrity +is notably important and may also be susceptible to misconfiguration over time, particularly if +unpackaged software is installed. As such, +an argument exists to verify that files' permissions within these directories remain +configured correctly and restrictively. + + Verify that Shared Library Directories Have Restrictive Permissions + System-wide shared library directories, which contain are linked to executables +during process load time or run time, are stored in the following directories +by default: +/lib +/lib64 +/usr/lib +/usr/lib64 + +Kernel modules, which can be added to the kernel during runtime, are +stored in /lib/modules. All sub-directories in these directories +should not be group-writable or world-writable. If any file in these +directories is found to be group-writable or world-writable, correct +its permission with the following command: +$ sudo chmod go-w DIR + CCI-001499 + If the operating system were to allow any user to make changes to software libraries, +then those changes might be implemented without undergoing the appropriate testing +and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible +and configurable, as in the case of interpreted languages. Software libraries also include +privileged programs which execute with escalated privileges. Only qualified and authorized +individuals must be allowed to obtain access to information system components for purposes +of initiating changes, including upgrades and modifications. + + + + + + + + + Verify that System Executables Have Restrictive Permissions + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/libexec +/usr/local/bin +/usr/local/sbin +/usr/sbin +All files in these directories should not be group-writable or world-writable. +If any file FILE in these directories is found +to be group-writable or world-writable, correct its permission with the +following command: +$ sudo chmod go-w FILE + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000259-GPOS-00100 + CCI-001499 + System binaries are executed by privileged users, as well as system services, +and restrictive permissions are necessary to ensure execution of these programs +cannot be co-opted. + - name: Read list of world and group writable system executables + command: find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec + -perm /022 -type f + register: world_writable_library_files + changed_when: false + failed_when: false + check_mode: false + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Remove world/group writability of system executables + file: + path: '{{ item }}' + mode: go-w + with_items: '{{ world_writable_library_files.stdout_lines }}' + when: world_writable_library_files.stdout_lines | length > 0 + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Verify that Shared Library Files Have Restrictive Permissions + System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories +by default: +/lib +/lib64 +/usr/lib +/usr/lib64 + +Kernel modules, which can be added to the kernel during runtime, are +stored in /lib/modules. All files in these directories +should not be group-writable or world-writable. If any file in these +directories is found to be group-writable or world-writable, correct +its permission with the following command: +$ sudo chmod go-w FILE + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000259-GPOS-00100 + CCI-001499 + Files from shared library directories are loaded into the address +space of processes (including privileged ones) or of the kernel itself at +runtime. Restrictive permissions are necessary to protect the integrity of the system. + - name: Read list of world and group writable files in libraries directories + command: find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f + register: world_writable_library_files + changed_when: false + failed_when: false + check_mode: false + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_library_dirs + - high_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Disable world/group writability to library files + file: + path: '{{ item }}' + mode: go-w + with_items: '{{ world_writable_library_files.stdout_lines }}' + when: world_writable_library_files.stdout_lines | length > 0 + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_permissions_library_dirs + - high_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Verify that System Executables Have Root Ownership + System executables are stored in the following directories by default: +/bin +/sbin +/usr/bin +/usr/libexec +/usr/local/bin +/usr/local/sbin +/usr/sbin +All files in these directories should be owned by the root user. +If any file FILE in these directories is found +to be owned by a user other than root, correct its ownership with the +following command: +$ sudo chown root FILE + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000259-GPOS-00100 + CCI-001499 + System binaries are executed by privileged users as well as system services, +and restrictive permissions are necessary to ensure that their +execution of these programs cannot be co-opted. + - name: Read list of system executables without root ownership + command: find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ + /usr/libexec \! -user root + register: no_root_system_executables + changed_when: false + failed_when: false + check_mode: false + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set ownership to root of system executables + file: + path: '{{ item }}' + owner: root + with_items: '{{ no_root_system_executables.stdout_lines }}' + when: no_root_system_executables.stdout_lines | length > 0 + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_binary_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Verify that Shared Library Files Have Root Ownership + System-wide shared library files, which are linked to executables +during process load time or run time, are stored in the following directories +by default: +/lib +/lib64 +/usr/lib +/usr/lib64 + +Kernel modules, which can be added to the kernel during runtime, are also +stored in /lib/modules. All files in these directories should be +owned by the root user. If the directory, or any file in these +directories, is found to be owned by a user other than root correct its +ownership with the following command: +$ sudo chown root FILE + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SRG-OS-000259-GPOS-00100 + CCI-001499 + Files from shared library directories are loaded into the address +space of processes (including privileged ones) or of the kernel itself at +runtime. Proper ownership is necessary to protect the integrity of the system. + for LIBDIR in /usr/lib /usr/lib64 /lib /lib64 +do + if [ -d $LIBDIR ] + then + find -L $LIBDIR \! -user root -exec chown root {} \; + fi +done + + - name: Read list libraries without root ownership + command: find -L /usr/lib /usr/lib64 /lib /lib64 \! -user root + register: libraries_not_owned_by_root + changed_when: false + failed_when: false + check_mode: false + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_library_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Set ownership of system libraries to root + file: + path: '{{ item }}' + owner: root + with_items: '{{ libraries_not_owned_by_root.stdout_lines }}' + when: libraries_not_owned_by_root | length > 0 + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - file_ownership_library_dirs + - medium_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + + Verify Permissions on Files within /var/log Directory + The /var/log directory contains files with logs of error +messages in the system and should only be accessed by authorized +personnel. + + Verify Group Who Owns /var/log Directory + To properly set the group owner of /var/log, run the command: $ sudo chgrp root /var/log + SRG-OS-000206-GPOS-00084 + CCI-001314 + The /var/log directory contains files with logs of error +messages in the system and should only be accessed by authorized +personnel. + + +chgrp 0 /var/log/ + + - name: Test for existence /var/log/ + stat: + path: /var/log/ + register: file_exists + tags: + - configure_strategy + - file_groupowner_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /var/log/ + file: + path: /var/log/ + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns /var/log Directory + To properly set the owner of /var/log, run the command: $ sudo chown root /var/log + SRG-OS-000206-GPOS-00084 + CCI-001314 + The /var/log directory contains files with logs of error +messages in the system and should only be accessed by authorized +personnel. + + +chown 0 /var/log/ + + - name: Test for existence /var/log/ + stat: + path: /var/log/ + register: file_exists + tags: + - configure_strategy + - file_owner_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /var/log/ + file: + path: /var/log/ + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns /var/log/messages File + To properly set the group owner of /var/log/messages, run the command: $ sudo chgrp root /var/log/messages + SRG-OS-000206-GPOS-00084 + CCI-001314 + The /var/log/messages file contains logs of error messages in +the system and should only be accessed by authorized personnel. + + +chgrp 0 /var/log/messages + + - name: Test for existence /var/log/messages + stat: + path: /var/log/messages + register: file_exists + tags: + - configure_strategy + - file_groupowner_var_log_messages + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /var/log/messages + file: + path: /var/log/messages + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_var_log_messages + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on /var/log/messages File + +To properly set the permissions of /var/log/messages, run the command: +$ sudo chmod 0640 /var/log/messages + SRG-OS-000206-GPOS-00084 + CCI-001314 + The /var/log/messages file contains logs of error messages in +the system and should only be accessed by authorized personnel. + + +chmod 0640 /var/log/messages + + - name: Test for existence /var/log/messages + stat: + path: /var/log/messages + register: file_exists + tags: + - configure_strategy + - file_permissions_var_log_messages + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0640 on /var/log/messages + file: + path: /var/log/messages + mode: '0640' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_var_log_messages + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on /var/log Directory + +To properly set the permissions of /var/log, run the command: +$ sudo chmod 0755 /var/log + SRG-OS-000206-GPOS-00084 + CCI-001314 + The /var/log directory contains files with logs of error +messages in the system and should only be accessed by authorized +personnel. + + +chmod 0755 /var/log/ + + - name: Test for existence /var/log/ + stat: + path: /var/log/ + register: file_exists + tags: + - configure_strategy + - file_permissions_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0755 on /var/log/ + file: + path: /var/log/ + mode: '0755' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_var_log + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns /var/log/messages File + To properly set the owner of /var/log/messages, run the command: $ sudo chown root /var/log/messages + SRG-OS-000206-GPOS-00084 + CCI-001314 + The /var/log/messages file contains logs of error messages in +the system and should only be accessed by authorized personnel. + + +chown 0 /var/log/messages + + - name: Test for existence /var/log/messages + stat: + path: /var/log/messages + register: file_exists + tags: + - configure_strategy + - file_owner_var_log_messages + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /var/log/messages + file: + path: /var/log/messages + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_var_log_messages + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Verify Permissions on Files with Local Account Information and Credentials + The default restrictive permissions for files which act as +important security databases such as passwd, shadow, +group, and gshadow files must be maintained. Many utilities +need read access to the passwd file in order to function properly, but +read access to the shadow file allows malicious attacks against system +passwords, and should never be enabled. + + Verify User Who Owns Backup group File + To properly set the owner of /etc/group-, run the command: $ sudo chown root /etc/group- + The /etc/group- file is a backup file of /etc/group, and as such, +it contains information regarding groups that are configured on the system. +Protection of this file is important for system security. + + +chown 0 /etc/group- + + - name: Test for existence /etc/group- + stat: + path: /etc/group- + register: file_exists + tags: + - configure_strategy + - file_owner_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/group- + file: + path: /etc/group- + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns Backup gshadow File + To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp root /etc/gshadow- + The /etc/gshadow- file is a backup of /etc/gshadow, and as such, +it contains group password hashes. Protection of this file is critical for system security. + + +chgrp 0 /etc/gshadow- + + - name: Test for existence /etc/gshadow- + stat: + path: /etc/gshadow- + register: file_exists + tags: + - configure_strategy + - file_groupowner_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/gshadow- + file: + path: /etc/gshadow- + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns passwd File + To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/passwd file contains information about the users that are configured on +the system. Protection of this file is critical for system security. + + +chgrp 0 /etc/passwd + + - name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_groupowner_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/passwd + file: + path: /etc/passwd + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_groupowner_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns gshadow File + To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp root /etc/gshadow + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/gshadow file contains group password hashes. Protection of this file +is critical for system security. + + +chgrp 0 /etc/gshadow + + - name: Test for existence /etc/gshadow + stat: + path: /etc/gshadow + register: file_exists + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_groupowner_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/gshadow + file: + path: /etc/gshadow + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_groupowner_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on passwd File + +To properly set the permissions of /etc/passwd, run the command: +$ sudo chmod 0644 /etc/passwd + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R36) + If the /etc/passwd file is writable by a group-owner or the +world the risk of its compromise is increased. The file contains the list of +accounts on the system and associated information, and protection of this file +is critical for system security. + + +chmod 0644 /etc/passwd + + - name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_permissions_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0644 on /etc/passwd + file: + path: /etc/passwd + mode: '0644' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_permissions_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on shadow File + +To properly set the permissions of /etc/shadow, run the command: +$ sudo chmod 0000 /etc/shadow + BP28(R36) + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/shadow file contains the list of local +system accounts and stores password hashes. Protection of this file is +critical for system security. Failure to give ownership of this file +to root provides the designated owner with access to sensitive information +which could weaken the system security posture. + + +chmod 0000 /etc/shadow + + - name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_permissions_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0000 on /etc/shadow + file: + path: /etc/shadow + mode: '0000' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_permissions_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns group File + To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/group file contains information regarding groups that are configured +on the system. Protection of this file is important for system security. + + +chgrp 0 /etc/group + + - name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_groupowner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/group + file: + path: /etc/group + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_groupowner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns group File + To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/group file contains information regarding groups that are configured +on the system. Protection of this file is important for system security. + + +chown 0 /etc/group + + - name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/group + file: + path: /etc/group + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on Backup shadow File + +To properly set the permissions of /etc/shadow-, run the command: +$ sudo chmod 0000 /etc/shadow- + The /etc/shadow- file is a backup file of /etc/shadow, and as such, +it contains the list of local system accounts and password hashes. +Protection of this file is critical for system security. + + +chmod 0000 /etc/shadow- + + - name: Test for existence /etc/shadow- + stat: + path: /etc/shadow- + register: file_exists + tags: + - configure_strategy + - file_permissions_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0000 on /etc/shadow- + file: + path: /etc/shadow- + mode: '0000' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on group File + +To properly set the permissions of /etc/passwd, run the command: +$ sudo chmod 0644 /etc/passwd + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R36) + The /etc/group file contains information regarding groups that are configured +on the system. Protection of this file is important for system security. + + +chmod 0644 /etc/group + + - name: Test for existence /etc/group + stat: + path: /etc/group + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_permissions_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0644 on /etc/group + file: + path: /etc/group + mode: '0644' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_permissions_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns Backup group File + To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group- + The /etc/group- file is a backup file of /etc/group, and as such, +it contains information regarding groups that are configured on the system. +Protection of this file is important for system security. + + +chgrp 0 /etc/group- + + - name: Test for existence /etc/group- + stat: + path: /etc/group- + register: file_exists + tags: + - configure_strategy + - file_groupowner_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/group- + file: + path: /etc/group- + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns Backup shadow File + To properly set the owner of /etc/shadow-, run the command: $ sudo chown root /etc/shadow- + The /etc/shadow- file is a backup file of /etc/shadow, and as such, +it contains the list of local system accounts and password hashes. +Protection of this file is critical for system security. + + +chown 0 /etc/shadow- + + - name: Test for existence /etc/shadow- + stat: + path: /etc/shadow- + register: file_exists + tags: + - configure_strategy + - file_owner_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/shadow- + file: + path: /etc/shadow- + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns passwd File + To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/passwd file contains information about the users that are configured on +the system. Protection of this file is critical for system security. + + +chown 0 /etc/passwd + + - name: Test for existence /etc/passwd + stat: + path: /etc/passwd + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/passwd + file: + path: /etc/passwd + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns Backup shadow File + To properly set the group owner of /etc/shadow-, run the command: $ sudo chgrp root /etc/shadow- + The /etc/shadow- file is a backup file of /etc/shadow, and as such, +it contains the list of local system accounts and password hashes. +Protection of this file is critical for system security. + + +chgrp 0 /etc/shadow- + + - name: Test for existence /etc/shadow- + stat: + path: /etc/shadow- + register: file_exists + tags: + - configure_strategy + - file_groupowner_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/shadow- + file: + path: /etc/shadow- + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_backup_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on Backup passwd File + +To properly set the permissions of /etc/passwd-, run the command: +$ sudo chmod 0644 /etc/passwd- + The /etc/passwd- file is a backup file of /etc/passwd, and as such, +it contains information about the users that are configured on the system. +Protection of this file is critical for system security. + + +chmod 0644 /etc/passwd- + + - name: Test for existence /etc/passwd- + stat: + path: /etc/passwd- + register: file_exists + tags: + - configure_strategy + - file_permissions_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0644 on /etc/passwd- + file: + path: /etc/passwd- + mode: '0644' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns Backup gshadow File + To properly set the owner of /etc/gshadow-, run the command: $ sudo chown root /etc/gshadow- + The /etc/gshadow- file is a backup of /etc/gshadow, and as such, +it contains group password hashes. Protection of this file is critical for system security. + + +chown 0 /etc/gshadow- + + - name: Test for existence /etc/gshadow- + stat: + path: /etc/gshadow- + register: file_exists + tags: + - configure_strategy + - file_owner_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/gshadow- + file: + path: /etc/gshadow- + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns gshadow File + To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R36) + The /etc/gshadow file contains group password hashes. Protection of this file +is critical for system security. + + +chown 0 /etc/gshadow + + - name: Test for existence /etc/gshadow + stat: + path: /etc/gshadow + register: file_exists + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_owner_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/gshadow + file: + path: /etc/gshadow + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_owner_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on Backup group File + +To properly set the permissions of /etc/group-, run the command: +$ sudo chmod 0644 /etc/group- + The /etc/group- file is a backup file of /etc/group, and as such, +it contains information regarding groups that are configured on the system. +Protection of this file is important for system security. + + +chmod 0644 /etc/group- + + - name: Test for existence /etc/group- + stat: + path: /etc/group- + register: file_exists + tags: + - configure_strategy + - file_permissions_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0644 on /etc/group- + file: + path: /etc/group- + mode: '0644' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_backup_etc_group + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on gshadow File + +To properly set the permissions of /etc/gshadow, run the command: +$ sudo chmod 0000 /etc/gshadow + BP28(R36) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/gshadow file contains group password hashes. Protection of this file +is critical for system security. + + +chmod 0000 /etc/gshadow + + - name: Test for existence /etc/gshadow + stat: + path: /etc/gshadow + register: file_exists + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0000 on /etc/gshadow + file: + path: /etc/gshadow + mode: '0000' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns shadow File + To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The /etc/shadow file stores password hashes. Protection of this file is +critical for system security. + + +chgrp 0 /etc/shadow + + - name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_groupowner_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/shadow + file: + path: /etc/shadow + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_groupowner_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns Backup passwd File + To properly set the owner of /etc/passwd-, run the command: $ sudo chown root /etc/passwd- + The /etc/passwd- file is a backup file of /etc/passwd, and as such, +it contains information about the users that are configured on the system. +Protection of this file is critical for system security. + + +chown 0 /etc/passwd- + + - name: Test for existence /etc/passwd- + stat: + path: /etc/passwd- + register: file_exists + tags: + - configure_strategy + - file_owner_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/passwd- + file: + path: /etc/passwd- + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_owner_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Group Who Owns Backup passwd File + To properly set the group owner of /etc/passwd-, run the command: $ sudo chgrp root /etc/passwd- + The /etc/passwd- file is a backup file of /etc/passwd, and as such, +it contains information about the users that are configured on the system. +Protection of this file is critical for system security. + + +chgrp 0 /etc/passwd- + + - name: Test for existence /etc/passwd- + stat: + path: /etc/passwd- + register: file_exists + tags: + - configure_strategy + - file_groupowner_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /etc/passwd- + file: + path: /etc/passwd- + group: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_groupowner_backup_etc_passwd + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify Permissions on Backup gshadow File + +To properly set the permissions of /etc/gshadow-, run the command: +$ sudo chmod 0000 /etc/gshadow- + The /etc/gshadow- file is a backup of /etc/gshadow, and as such, +it contains group password hashes. Protection of this file is critical for system security. + + +chmod 0000 /etc/gshadow- + + - name: Test for existence /etc/gshadow- + stat: + path: /etc/gshadow- + register: file_exists + tags: + - configure_strategy + - file_permissions_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0000 on /etc/gshadow- + file: + path: /etc/gshadow- + mode: '0000' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - configure_strategy + - file_permissions_backup_etc_gshadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify User Who Owns shadow File + To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow + 5.5.2.2 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-8.7.c + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R36) + The /etc/shadow file contains the list of local +system accounts and stores password hashes. Protection of this file is +critical for system security. Failure to give ownership of this file +to root provides the designated owner with access to sensitive information +which could weaken the system security posture. + + +chown 0 /etc/shadow + + - name: Test for existence /etc/shadow + stat: + path: /etc/shadow + register: file_exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /etc/shadow + file: + path: /etc/shadow + owner: '0' + when: file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-8.7.c + - configure_strategy + - file_owner_etc_shadow + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + + Verify Permissions on Important Files and +Directories Are Configured in /etc/permissions.local + Permissions for many files on a system must be set +restrictively to ensure sensitive information is properly protected. +This section discusses the /etc/permissions.local file, where +expected permissions can be configured to be checked and fixed through +usage of the chkstat command. + + + Restrict Partition Mount Options + System partitions can be mounted with certain options +that limit what files on those partitions can do. These options +are set in the /etc/fstab configuration file, and can be +used to make certain types of malicious behavior more difficult. + + Removable Partition + This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, +and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from +removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable +partitions that are required on the local system. + /dev/cdrom + + + Add nodev Option to /dev/shm + The nodev mount option can be used to prevent creation of device +files in /dev/shm. Legitimate character and block devices should +not exist within temporary directories like /dev/shm. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/dev/shm. + CCI-001764 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS05.06 + DSS06.06 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + 11 + 13 + 14 + 3 + 8 + 9 + SRG-OS-000368-GPOS-00154 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "no" = 'yes'; then + assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/dev/shm" "nodev" "tmpfs" "tmpfs" + + ensure_partition_is_mounted "/dev/shm" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt '/dev/shm' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nodev + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nodev + - no_reboot_needed + +- name: If /dev/shm not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /dev/shm + - tmpfs + - tmpfs + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nodev + - no_reboot_needed + +- name: Make sure nodev option is part of the to /dev/shm options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nodev" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nodev + - no_reboot_needed + +- name: Ensure /dev/shm is mounted with nodev option + mount: + path: /dev/shm + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nodev + - no_reboot_needed + + + + + + + + + + Add nosuid Option to Removable Media Partitions + The nosuid mount option prevents set-user-identifier (SUID) +and set-group-identifier (SGID) permissions from taking effect. These permissions +allow users to execute binaries with the same permissions as the owner and group +of the file respectively. Users should not be allowed to introduce SUID and SGID +files into the system via partitions mounted from removeable media. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.AC-3 + PR.AC-4 + PR.AC-6 + PR.DS-5 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 5.2 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO01.06 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.06 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.11.2.6 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 8 + 9 + The presence of SUID and SGID executables should be tightly controlled. Allowing +users to introduce SUID or SGID binaries from partitions mounted off of +removable media would allow them to introduce their own highly-privileged programs. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_removable_partition="" + + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="nosuid" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 + return 1 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_removable_partition # promote to variable + set_fact: + var_removable_partition: !!str + tags: + - always + +- name: Ensure permission nosuid are set on var_removable_partition + lineinfile: + path: /etc/fstab + regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ + backrefs: true + line: \1 \2 \3 \4,nosuid \5 + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_nosuid_removable_partitions + - no_reboot_needed + + + + + + + + Add noexec Option to Removable Media Partitions + The noexec mount option prevents the direct execution of binaries +on the mounted filesystem. Preventing the direct execution of binaries from +removable media (such as a USB key) provides a defense against malicious +software that may be present on such untrusted media. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. + CCI-000087 + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.AC-3 + PR.AC-6 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.06 + DSS05.07 + DSS06.03 + DSS06.06 + A.11.2.6 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + A.9.2.1 + 11 + 12 + 13 + 14 + 16 + 3 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Allowing users to execute binaries from removable media such as USB keys exposes +the system to potential compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_removable_partition="" + + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="noexec" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 + return 1 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_removable_partition # promote to variable + set_fact: + var_removable_partition: !!str + tags: + - always + +- name: Ensure permission noexec are set on var_removable_partition + lineinfile: + path: /etc/fstab + regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ + backrefs: true + line: \1 \2 \3 \4,noexec \5 + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_noexec_removable_partitions + - no_reboot_needed + + + + + + + + + + + Add noexec Option to /var/log + The noexec mount option can be used to prevent binaries +from being executed out of /var/log. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/log. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + BP28(R12) + CCI-001764 + Allowing users to execute binaries from directories containing log files +such as /var/log should never be necessary in normal operation and +can expose the system to potential compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var/log" "noexec" "" "" + + ensure_partition_is_mounted "/var/log" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/log' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_noexec + - no_reboot_needed + +- name: If /var/log not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /var/log options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_noexec + - no_reboot_needed + +- name: Ensure /var/log is mounted with noexec option + mount: + path: /var/log + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_noexec + - no_reboot_needed + + +part /var/log --mountoptions="noexec" + + + + + + + + + + Add nodev Option to /tmp + The nodev mount option can be used to prevent device files from +being created in /tmp. Legitimate character and block devices +should not exist within temporary directories like /tmp. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/tmp. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS05.06 + DSS06.06 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + 11 + 13 + 14 + 3 + 8 + 9 + BP28(R12) + SRG-OS-000368-GPOS-00154 + CCI-001764 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/tmp" "nodev" "" "" + + ensure_partition_is_mounted "/tmp" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/tmp' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nodev + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nodev + - no_reboot_needed + +- name: If /tmp not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /tmp + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nodev + - no_reboot_needed + +- name: Make sure nodev option is part of the to /tmp options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nodev" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nodev + - no_reboot_needed + +- name: Ensure /tmp is mounted with nodev option + mount: + path: /tmp + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nodev + - no_reboot_needed + + +part /tmp --mountoptions="nodev" + + + + + + + + + + Add nodev Option to Non-Root Local Partitions + The nodev mount option prevents files from being interpreted as +character or block devices. Legitimate character and block devices should +exist only in the /dev directory on the root partition or within +chroot jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of + + any non-root local partitions. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + SRG-OS-000368-GPOS-00154 + SRG-OS-000480-GPOS-00227 + BP28(R12) + CCI-000366 + The nodev mount option prevents files from being +interpreted as character or block devices. The only legitimate location +for device files is the /dev directory located on the root partition. +The only exception to this is chroot jails, for which it is not advised +to set nodev on these filesystems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +MOUNT_OPTION="nodev" +# Create array of local non-root partitions +readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w") + +for partition_record in "${partitions_records[@]}"; do + # Get all important information for fstab + mount_point="$(echo ${partition_record} | cut -d " " -f1)" + device="$(echo ${partition_record} | cut -d " " -f2)" + device_type="$(echo ${partition_record} | cut -d " " -f3)" + # device and device_type will be used only in case when the device doesn't have fstab record + ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type" + ensure_partition_is_mounted "$mount_point" +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure non-root local partitions are mounted with nodev option + mount: + path: '{{ item.mount }}' + src: '{{ item.device }}' + opts: '{{ item.options }},nodev' + state: mounted + fstype: '{{ item.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - item.mount is match('/\w') + - item.options is not search('nodev') + with_items: + - '{{ ansible_facts.mounts }}' + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_nodev_nonroot_local_partitions + - no_reboot_needed + + + + + + + + + + Add nodev Option to /var/log/audit + The nodev mount option can be used to prevent device files from +being created in /var/log/audit. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/log/audit. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + CCI-001764 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var/log/audit" "nodev" "" "" + + ensure_partition_is_mounted "/var/log/audit" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/log/audit' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nodev + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nodev + - no_reboot_needed + +- name: If /var/log/audit not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log/audit + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nodev + - no_reboot_needed + +- name: Make sure nodev option is part of the to /var/log/audit options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nodev" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nodev + - no_reboot_needed + +- name: Ensure /var/log/audit is mounted with nodev option + mount: + path: /var/log/audit + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nodev + - no_reboot_needed + + +part /var/log/audit --mountoptions="nodev" + + + + + + + + + + Add noauto Option to /boot + The noauto mount option is used to prevent automatic mounting of th +/boot partition. +Add the noauto option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + Although contents of the /boot partition should not be needed +during normal system operation, they might need to be accessible during +system maintenance and upgrades. Make sure that applying this rule will +not break upgrade or maintenance processes affecting the system. + BP28(R12) + The /boot partition contains the kernel and the bootloader. Access +to the partition after the boot process finishes should not be needed. Files +contained within this partition can be analysed and gained information can +be used for exploit creation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/boot" "noauto" "" "" + + ensure_partition_is_mounted "/boot" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/boot' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noauto + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noauto + - no_reboot_needed + +- name: If /boot not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /boot + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noauto + - no_reboot_needed + +- name: Make sure noauto option is part of the to /boot options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noauto'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noauto" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noauto + - no_reboot_needed + +- name: Ensure /boot is mounted with noauto option + mount: + path: /boot + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noauto + - no_reboot_needed + + +part /boot --mountoptions="noauto" + + + + + + + + + + Add nosuid Option to /opt + The nosuid mount option can be used to prevent +execution of setuid programs in /opt. The SUID and SGID permissions +should not be required in this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/opt. + BP28(R12) + The presence of SUID and SGID executables should be tightly controlled. The +/opt directory contains additional software packages. Users should +not be able to execute SUID or SGID binaries from this directory. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /opt || { echo "Not remediating, because there is no record of /opt in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/opt" "nosuid" "" "" + + ensure_partition_is_mounted "/opt" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/opt' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_opt_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_opt_nosuid + - no_reboot_needed + +- name: If /opt not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /opt + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_opt_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /opt options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_opt_nosuid + - no_reboot_needed + +- name: Ensure /opt is mounted with nosuid option + mount: + path: /opt + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_opt_nosuid + - no_reboot_needed + + +part /opt --mountoptions="nosuid" + + + + + + + + + + Add nosuid Option to /boot + The nosuid mount option can be used to prevent +execution of setuid programs in /boot. The SUID and SGID permissions +should not be required on the boot partition. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + SRG-OS-000480-GPOS-00227 + BP28(R12) + CCI-000366 + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from boot partitions. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/boot" "nosuid" "" "" + + ensure_partition_is_mounted "/boot" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/boot' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nosuid + - no_reboot_needed + +- name: If /boot not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /boot + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /boot options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nosuid + - no_reboot_needed + +- name: Ensure /boot is mounted with nosuid option + mount: + path: /boot + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nosuid + - no_reboot_needed + + +part /boot --mountoptions="nosuid" + + + + + + + + + + Add nosuid Option to /tmp + The nosuid mount option can be used to prevent +execution of setuid programs in /tmp. The SUID and SGID permissions +should not be required in these world-writable directories. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/tmp. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS05.06 + DSS06.06 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + 11 + 13 + 14 + 3 + 8 + 9 + BP28(R12) + SRG-OS-000368-GPOS-00154 + CCI-001764 + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from temporary storage partitions. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/tmp" "nosuid" "" "" + + ensure_partition_is_mounted "/tmp" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/tmp' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nosuid + - no_reboot_needed + +- name: If /tmp not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /tmp + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /tmp options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nosuid + - no_reboot_needed + +- name: Ensure /tmp is mounted with nosuid option + mount: + path: /tmp + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_nosuid + - no_reboot_needed + + +part /tmp --mountoptions="nosuid" + + + + + + + + + + Add noexec Option to /var/log/audit + The noexec mount option can be used to prevent binaries +from being executed out of /var/log/audit. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/log/audit. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + CCI-001764 + Allowing users to execute binaries from directories containing audit log files +such as /var/log/audit should never be necessary in normal operation and +can expose the system to potential compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var/log/audit" "noexec" "" "" + + ensure_partition_is_mounted "/var/log/audit" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/log/audit' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_noexec + - no_reboot_needed + +- name: If /var/log/audit not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log/audit + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /var/log/audit options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_noexec + - no_reboot_needed + +- name: Ensure /var/log/audit is mounted with noexec option + mount: + path: /var/log/audit + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_noexec + - no_reboot_needed + + +part /var/log/audit --mountoptions="noexec" + + + + + + + + + + Add nosuid Option to /dev/shm + The nosuid mount option can be used to prevent execution +of setuid programs in /dev/shm. The SUID and SGID permissions should not +be required in these world-writable directories. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/dev/shm. + CCI-001764 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS05.06 + DSS06.06 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + 11 + 13 + 14 + 3 + 8 + 9 + SRG-OS-000368-GPOS-00154 + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from temporary storage partitions. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "no" = 'yes'; then + assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/dev/shm" "nosuid" "tmpfs" "tmpfs" + + ensure_partition_is_mounted "/dev/shm" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt '/dev/shm' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid + - no_reboot_needed + +- name: If /dev/shm not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /dev/shm + - tmpfs + - tmpfs + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /dev/shm options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid + - no_reboot_needed + +- name: Ensure /dev/shm is mounted with nosuid option + mount: + path: /dev/shm + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_nosuid + - no_reboot_needed + + + + + + + + + + Add noexec Option to /tmp + The noexec mount option can be used to prevent binaries +from being executed out of /tmp. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/tmp. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS05.06 + DSS06.06 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + 11 + 13 + 14 + 3 + 8 + 9 + BP28(R12) + SRG-OS-000368-GPOS-00154 + CCI-001764 + Allowing users to execute binaries from world-writable directories +such as /tmp should never be necessary in normal operation and +can expose the system to potential compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /tmp || { echo "Not remediating, because there is no record of /tmp in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/tmp" "noexec" "" "" + + ensure_partition_is_mounted "/tmp" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/tmp' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_noexec + - no_reboot_needed + +- name: If /tmp not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /tmp + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /tmp options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_noexec + - no_reboot_needed + +- name: Ensure /tmp is mounted with noexec option + mount: + path: /tmp + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_tmp_noexec + - no_reboot_needed + + +part /tmp --mountoptions="noexec" + + + + + + + + + + Add nodev Option to Removable Media Partitions + The nodev mount option prevents files from being +interpreted as character or block devices. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of + + any removable media partitions. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.AC-3 + PR.AC-6 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.06 + DSS05.07 + DSS06.03 + DSS06.06 + A.11.2.6 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + A.9.2.1 + 11 + 12 + 13 + 14 + 16 + 3 + 8 + 9 + SRG-OS-000480-GPOS-00227 + CCI-000366 + The only legitimate location for device files is the /dev directory +located on the root partition. An exception to this is chroot jails, and it is +not advised to set nodev on partitions which contain their root +filesystems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_removable_partition="" + + + +device_regex="^\s*$var_removable_partition\s\+" +mount_option="nodev" + +if grep -q $device_regex /etc/fstab ; then + previous_opts=$(grep $device_regex /etc/fstab | awk '{print $4}') + sed -i "s|\($device_regex.*$previous_opts\)|\1,$mount_option|" /etc/fstab +else + echo "Not remediating, because there is no record of $var_removable_partition in /etc/fstab" >&2 + return 1 +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_removable_partition # promote to variable + set_fact: + var_removable_partition: !!str + tags: + - always + +- name: Ensure permission nodev are set on var_removable_partition + lineinfile: + path: /etc/fstab + regexp: ^\s*({{ var_removable_partition }})\s+([^\s]*)\s+([^\s]*)\s+([^\s]*)(.*)$ + backrefs: true + line: \1 \2 \3 \4,nodev \5 + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_nodev_removable_partitions + - no_reboot_needed + + + + + + + + Add nosuid Option to /var + The nosuid mount option can be used to prevent +execution of setuid programs in /var. The SUID and SGID permissions +should not be required for this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var. + BP28(R12) + The presence of SUID and SGID executables should be tightly controlled. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var || { echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var" "nosuid" "" "" + + ensure_partition_is_mounted "/var" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_nosuid + - no_reboot_needed + - unknown_severity + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_nosuid + - no_reboot_needed + - unknown_severity + +- name: If /var not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_nosuid + - no_reboot_needed + - unknown_severity + +- name: Make sure nosuid option is part of the to /var options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_nosuid + - no_reboot_needed + - unknown_severity + +- name: Ensure /var is mounted with nosuid option + mount: + path: /var + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_nosuid + - no_reboot_needed + - unknown_severity + + +part /var --mountoptions="nosuid" + + + + + + + + + + Add nodev Option to /var/log + The nodev mount option can be used to prevent device files from +being created in /var/log. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/log. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + CCI-001764 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var/log" "nodev" "" "" + + ensure_partition_is_mounted "/var/log" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/log' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nodev + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nodev + - no_reboot_needed + +- name: If /var/log not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nodev + - no_reboot_needed + +- name: Make sure nodev option is part of the to /var/log options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nodev" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nodev + - no_reboot_needed + +- name: Ensure /var/log is mounted with nodev option + mount: + path: /var/log + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nodev + - no_reboot_needed + + +part /var/log --mountoptions="nodev" + + + + + + + + + + Add nodev Option to /var + The nodev mount option can be used to prevent device files from +being created in /var. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/var. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var || { echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var" "nodev" "" "" + + ensure_partition_is_mounted "/var" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_nodev + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_nodev + - no_reboot_needed + +- name: If /var not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_nodev + - no_reboot_needed + +- name: Make sure nodev option is part of the to /var options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nodev" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_nodev + - no_reboot_needed + +- name: Ensure /var is mounted with nodev option + mount: + path: /var + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_nodev + - no_reboot_needed + + +part /var --mountoptions="nodev" + + + + + + + + + + Add noexec Option to /boot + The noexec mount option can be used to prevent binaries from being +executed out of /boot. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + BP28(R12) + The /boot partition contains the kernel and the bootloader. No +binaries should be executed from this partition after the booting process +finishes. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/boot" "noexec" "" "" + + ensure_partition_is_mounted "/boot" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/boot' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noexec + - no_reboot_needed + +- name: If /boot not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /boot + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /boot options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noexec + - no_reboot_needed + +- name: Ensure /boot is mounted with noexec option + mount: + path: /boot + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_noexec + - no_reboot_needed + + +part /boot --mountoptions="noexec" + + + + + + + + + + Add noexec Option to /home + The noexec mount option can be used to prevent binaries from being +executed out of /home. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/home. + BP28(R12) + The /home directory contains data of individual users. Binaries in +this directory should not be considered as trusted and users should not be +able to execute them. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /home || { echo "Not remediating, because there is no record of /home in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/home" "noexec" "" "" + + ensure_partition_is_mounted "/home" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/home' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_noexec + - no_reboot_needed + +- name: If /home not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /home + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /home options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_noexec + - no_reboot_needed + +- name: Ensure /home is mounted with noexec option + mount: + path: /home + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_home_noexec + - no_reboot_needed + + +part /home --mountoptions="noexec" + + + + + + + + + + Add noexec Option to /var + The noexec mount option can be used to prevent binaries from being +executed out of /var. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/var. + BP28(R12) + The /var directory contains variable system data such as logs, +mails and caches. No binaries should be executed from this directory. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var || { echo "Not remediating, because there is no record of /var in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var" "noexec" "" "" + + ensure_partition_is_mounted "/var" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_noexec + - no_reboot_needed + +- name: If /var not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /var options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_noexec + - no_reboot_needed + +- name: Ensure /var is mounted with noexec option + mount: + path: /var + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_noexec + - no_reboot_needed + + +part /var --mountoptions="noexec" + + + + + + + + + + Add nodev Option to /boot + The nodev mount option can be used to prevent device files from +being created in /boot. +Legitimate character and block devices should exist only in +the /dev directory on the root partition or within chroot +jails built for system services. +Add the nodev option to the fourth column of +/etc/fstab for the line which controls mounting of +/boot. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + The only legitimate location for device files is the /dev directory +located on the root partition. The only exception to this is chroot jails. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /boot || { echo "Not remediating, because there is no record of /boot in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/boot" "nodev" "" "" + + ensure_partition_is_mounted "/boot" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/boot' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nodev + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nodev + - no_reboot_needed + +- name: If /boot not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /boot + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nodev + - no_reboot_needed + +- name: Make sure nodev option is part of the to /boot options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nodev" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nodev + - no_reboot_needed + +- name: Ensure /boot is mounted with nodev option + mount: + path: /boot + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_boot_nodev + - no_reboot_needed + + +part /boot --mountoptions="nodev" + + + + + + + + + + Add nosuid Option to /srv + The nosuid mount option can be used to prevent +execution of setuid programs in /srv. The SUID and SGID permissions +should not be required in this directory. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/srv. + BP28(R12) + The presence of SUID and SGID executables should be tightly controlled. The +/srv directory contains files served by various network services such as FTP. Users should +not be able to execute SUID or SGID binaries from this directory. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /srv || { echo "Not remediating, because there is no record of /srv in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/srv" "nosuid" "" "" + + ensure_partition_is_mounted "/srv" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/srv' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_srv_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_srv_nosuid + - no_reboot_needed + +- name: If /srv not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /srv + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_srv_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /srv options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_srv_nosuid + - no_reboot_needed + +- name: Ensure /srv is mounted with nosuid option + mount: + path: /srv + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_srv_nosuid + - no_reboot_needed + + +part /srv --mountoptions="nosuid" + + + + + + + + + + Add noexec Option to /dev/shm + The noexec mount option can be used to prevent binaries +from being executed out of /dev/shm. +It can be dangerous to allow the execution of binaries +from world-writable temporary storage directories such as /dev/shm. +Add the noexec option to the fourth column of +/etc/fstab for the line which controls mounting of +/dev/shm. + CCI-001764 + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS05.06 + DSS06.06 + A.11.2.9 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.8.2.1 + A.8.2.2 + A.8.2.3 + A.8.3.1 + A.8.3.3 + A.9.1.2 + 11 + 13 + 14 + 3 + 8 + 9 + SRG-OS-000368-GPOS-00154 + Allowing users to execute binaries from world-writable directories +such as /dev/shm can expose the system to potential compromise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "no" = 'yes'; then + assert_mount_point_in_fstab /dev/shm || { echo "Not remediating, because there is no record of /dev/shm in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/dev/shm" "noexec" "tmpfs" "tmpfs" + + ensure_partition_is_mounted "/dev/shm" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt '/dev/shm' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_noexec + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_noexec + - no_reboot_needed + +- name: If /dev/shm not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /dev/shm + - tmpfs + - tmpfs + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_noexec + - no_reboot_needed + +- name: Make sure noexec option is part of the to /dev/shm options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "noexec" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_noexec + - no_reboot_needed + +- name: Ensure /dev/shm is mounted with noexec option + mount: + path: /dev/shm + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - low_severity + - mount_option_dev_shm_noexec + - no_reboot_needed + + + + + + + + + + Add nosuid Option to /var/log + The nosuid mount option can be used to prevent +execution of setuid programs in /var/log. The SUID and SGID permissions +should not be required in directories containing log files. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/log. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + BP28(R12) + CCI-001764 + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from partitions +designated for log files. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var/log || { echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var/log" "nosuid" "" "" + + ensure_partition_is_mounted "/var/log" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/log' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nosuid + - no_reboot_needed + +- name: If /var/log not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /var/log options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nosuid + - no_reboot_needed + +- name: Ensure /var/log is mounted with nosuid option + mount: + path: /var/log + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_nosuid + - no_reboot_needed + + +part /var/log --mountoptions="nosuid" + + + + + + + + + + Add nosuid Option to /var/log/audit + The nosuid mount option can be used to prevent +execution of setuid programs in /var/log/audit. The SUID and SGID permissions +should not be required in directories containing audit log files. +Add the nosuid option to the fourth column of +/etc/fstab for the line which controls mounting of +/var/log/audit. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-2 + PR.PT-3 + SRG-OS-000368-GPOS-00154 + CCI-001764 + The presence of SUID and SGID executables should be tightly controlled. Users +should not be able to execute SUID or SGID binaries from partitions +designated for audit log files. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +include_mount_options_functions + +function perform_remediation { + # test "$mount_has_to_exist" = 'yes' + if test "yes" = 'yes'; then + assert_mount_point_in_fstab /var/log/audit || { echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; } + fi + + ensure_mount_option_in_fstab "/var/log/audit" "nosuid" "" "" + + ensure_partition_is_mounted "/var/log/audit" +} + +perform_remediation + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/log/audit' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nosuid + - no_reboot_needed + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nosuid + - no_reboot_needed + +- name: If /var/log/audit not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/log/audit + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nosuid + - no_reboot_needed + +- name: Make sure nosuid option is part of the to /var/log/audit options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "nosuid" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nosuid + - no_reboot_needed + +- name: Ensure /var/log/audit is mounted with nosuid option + mount: + path: /var/log/audit + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - medium_severity + - mount_option_var_log_audit_nosuid + - no_reboot_needed + + +part /var/log/audit --mountoptions="nosuid" + + + + + + + + + + Bind Mount /var/tmp To /tmp + The /var/tmp directory is a world-writable directory. Bind-mount +it to /tmp in order to consolidate temporary storage into one +location protected by the same techniques as /tmp. To do so, edit +/etc/fstab and add the following line: +/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0 +See the mount(8) man page for further explanation of bind mounting. + CM-7(a) + CM-7(b) + CM-6(a) + AC-6 + AC-6(1) + MP-7 + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Having multiple locations for temporary storage is not required. Unless absolutely +necessary to meet requirements, the storage location /var/tmp should be bind mounted to +/tmp and thus share the same protections. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# Delete particular /etc/fstab's row if /var/tmp is already configured to +# represent a mount point (for some device or filesystem other than /tmp) +if grep -q -P '.*\/var\/tmp.*' /etc/fstab +then + sed -i '/.*\/var\/tmp.*/d' /etc/fstab +fi +umount /var/tmp + +# Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form) +printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab + +mkdir -p /var/tmp +mount -B /tmp /var/tmp + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Check information associated to mountpoint + command: findmnt --fstab '/var/tmp' + register: device_name + failed_when: device_name.rc > 1 + changed_when: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_tmp_bind + - no_reboot_needed + - unknown_severity + +- name: Create mount_info dictionary variable + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - '{{ device_name.stdout_lines[0].split() | list | lower }}' + - '{{ device_name.stdout_lines[1].split() | list }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - device_name.stdout is defined and device_name.stdout_lines is defined + - (device_name.stdout | length > 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_tmp_bind + - no_reboot_needed + - unknown_severity + +- name: If /var/tmp not mounted, craft mount_info manually + set_fact: + mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' + with_together: + - - target + - source + - fstype + - options + - - /var/tmp + - '' + - '' + - defaults + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - ("--fstab" | length == 0) + - (device_name.stdout | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_tmp_bind + - no_reboot_needed + - unknown_severity + +- name: Make sure bind option is part of the to /var/tmp options + set_fact: + mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',bind'' + }) }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - mount_info is defined and "bind" not in mount_info.options + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_tmp_bind + - no_reboot_needed + - unknown_severity + +- name: Ensure /var/tmp is mounted with bind option + mount: + path: /var/tmp + src: '{{ mount_info.source }}' + opts: '{{ mount_info.options }}' + state: mounted + fstype: '{{ mount_info.fstype }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab" + | length == 0) + tags: + - NIST-800-53-AC-6 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - configure_strategy + - high_disruption + - low_complexity + - mount_option_var_tmp_bind + - no_reboot_needed + - unknown_severity + + +part /var/tmp --mountoptions="bind" + + + + + + + + + Configure Syslog + The syslog service has been the default Unix logging mechanism for +many years. It has a number of downsides, including inconsistent log format, +lack of authentication for received messages, and lack of authentication, +encryption, or reliable transport for messages sent over a network. However, +due to its long history, syslog is a de facto standard which is supported by +almost all Unix applications. + + +In Fedora, rsyslog has replaced ksyslogd as the +syslog daemon of choice, and it includes some additional security features +such as reliable, connection-oriented (i.e. TCP) transmission of logs, the +option to log to database formats, and the encryption of log data en route to +a central logging server. +This section discusses how to configure rsyslog for +best effect, and how to use tools provided with the system to maintain and +monitor logs. + + + Ensure rsyslog-gnutls is installed + TLS protocol support for rsyslog is installed. +The rsyslog-gnutls package can be installed with the following command: + +$ sudo dnf install rsyslog-gnutls + FTP_ITC_EXT.1.1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000120-GPOS-00061 + BP28(R43) + CCI-000366 + The rsyslog-gnutls package provides Transport Layer Security (TLS) support +for the rsyslog daemon, which enables secure remote logging. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rsyslog-gnutls" ; then + dnf install -y "rsyslog-gnutls" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure rsyslog-gnutls is installed + package: + name: rsyslog-gnutls + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_rsyslog-gnutls_installed + + include install_rsyslog-gnutls + +class install_rsyslog-gnutls { + package { 'rsyslog-gnutls': + ensure => 'installed', + } +} + + +package --add=rsyslog-gnutls + + +[[packages]] +name = "rsyslog-gnutls" +version = "*" + + + + + + + + + + Ensure rsyslog is Installed + Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo dnf install rsyslog + BP28(R5) + NT28(R46) + CCI-001311 + CCI-001312 + CCI-000366 + 164.312(a)(2)(ii) + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + CM-6(a) + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + SRG-OS-000479-GPOS-00224 + SRG-OS-000051-GPOS-00024 + SRG-OS-000480-GPOS-00227 + The rsyslog package provides the rsyslog daemon, which provides +system logging services. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "rsyslog" ; then + dnf install -y "rsyslog" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure rsyslog is installed + package: + name: rsyslog + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_rsyslog_installed + + include install_rsyslog + +class install_rsyslog { + package { 'rsyslog': + ensure => 'installed', + } +} + + +package --add=rsyslog + + +[[packages]] +name = "rsyslog" +version = "*" + + + + + + + + + + Enable rsyslog Service + The rsyslog service provides syslog-style logging by default on Fedora. + +The rsyslog service can be enabled with the following command: +$ sudo systemctl enable rsyslog.service + BP28(R5) + NT28(R46) + CCI-001311 + CCI-001312 + CCI-001557 + CCI-001851 + CCI-000366 + 164.312(a)(2)(ii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.17.2.1 + CM-6(a) + AU-4(1) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.DS-4 + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO13.01 + BAI03.05 + BAI04.04 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + The rsyslog service must be running in order to provide +logging services, which are essential to system administration. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'rsyslog.service' +"$SYSTEMCTL_EXEC" start 'rsyslog.service' +"$SYSTEMCTL_EXEC" enable 'rsyslog.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service rsyslog + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service rsyslog + service: + name: rsyslog + enabled: 'yes' + state: started + masked: 'no' + when: + - '"rsyslog" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-4(1) + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_rsyslog_enabled + + include enable_rsyslog + +class enable_rsyslog { + service {'rsyslog': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Disable Logwatch on Clients if a Logserver Exists + Does your site have a central logserver which has been configured to report +on logs received from all systems? If so: +$ sudo rm /etc/cron.daily/0logwatch +If no logserver exists, it will be necessary for each system to run +Logwatch individually. Using a central logserver provides the security and +reliability benefits discussed earlier, and also makes monitoring logs +easier and less time-intensive for administrators. + + + + + Configure rsyslogd to Accept Remote Messages If Acting as a Log Server + By default, rsyslog does not listen over the network +for log messages. If needed, modules can be enabled to allow +the rsyslog daemon to receive messages from other systems and for the system +thus to act as a log server. +If the system is not a log server, then lines concerning these modules +should remain commented out. + + + + Ensure syslog-ng is Installed + syslog-ng can be installed in replacement of rsyslog. +The syslog-ng-core package can be installed with the following command: + +$ sudo dnf install syslog-ng-core + BP28(R46) + BP28(R5) + CCI-001311 + CCI-001312 + CM-6(a) + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + The syslog-ng-core package provides the syslog-ng daemon, which provides +system logging services. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "syslogng" ; then + dnf install -y "syslogng" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure syslogng is installed + package: + name: syslogng + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_syslogng_installed + + include install_syslogng + +class install_syslogng { + package { 'syslogng': + ensure => 'installed', + } +} + + +package --add=syslogng + + +[[packages]] +name = "syslogng" +version = "*" + + + + + + + + + + Enable syslog-ng Service + The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian. + +The syslog-ng service can be enabled with the following command: +$ sudo systemctl enable syslog-ng.service + CCI-001311 + CCI-001312 + CCI-001557 + CCI-001851 + BP28(R46) + BP28(R5) + CM-6(a) + AU-4(1) + DE.CM-1 + DE.CM-3 + DE.CM-7 + ID.SC-4 + PR.DS-4 + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + SR 6.2 + SR 7.1 + SR 7.2 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + APO13.01 + BAI03.05 + BAI04.04 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.14.2.7 + A.15.2.1 + A.15.2.2 + A.17.2.1 + 1 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + The syslog-ng service must be running in order to provide +logging services, which are essential to system administration. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'syslogng.service' +"$SYSTEMCTL_EXEC" start 'syslogng.service' +"$SYSTEMCTL_EXEC" enable 'syslogng.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service syslogng + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service syslogng + service: + name: syslogng + enabled: 'yes' + state: started + masked: 'no' + when: + - '"syslogng" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-4(1) + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_syslogng_enabled + + include enable_syslogng + +class enable_syslogng { + service {'syslogng': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Enable rsyslog to Accept Messages via TCP, if Acting As Log Server + The rsyslog daemon should not accept remote messages +unless the system acts as a log server. +If the system needs to act as a central log server, add the following lines to +/etc/rsyslog.conf to enable reception of messages over TCP: +$ModLoad imtcp +$InputTCPServerRun 514 + CM-6(a) + AU-6(3) + AU-6(4) + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + PR.PT-1 + If the system needs to act as a log server, this ensures that it can receive +messages over a reliable TCP connection. + + + + Enable rsyslog to Accept Messages via UDP, if Acting As Log Server + The rsyslog daemon should not accept remote messages +unless the system acts as a log server. +If the system needs to act as a central log server, add the following lines to +/etc/rsyslog.conf to enable reception of messages over UDP: +$ModLoad imudp +$UDPServerRun 514 + CM-6(a) + AU-6(3) + AU-6(4) + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + PR.PT-1 + Many devices, such as switches, routers, and other Unix-like systems, may only support +the traditional syslog transmission over UDP. If the system must act as a log server, +this enables it to receive their messages as well. + + + + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server + The rsyslog daemon should not accept remote messages +unless the system acts as a log server. +To ensure that it is not listening on the network, ensure the following lines are +not found in /etc/rsyslog.conf: +$ModLoad imtcp +$InputTCPServerRun port +$ModLoad imudp +$UDPServerRun port +$ModLoad imrelp +$InputRELPServerRun port + CCI-000318 + CCI-000366 + CCI-000368 + CCI-001812 + CCI-001813 + CCI-001814 + CM-7(a) + CM-7(b) + CM-6(a) + DE.AE-1 + ID.AM-3 + PR.AC-5 + PR.DS-5 + PR.IP-1 + PR.PT-1 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.3.9 + 4.3.3.4 + 4.3.3.5.8 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + 4.4.3.3 + APO01.06 + APO11.04 + APO13.01 + BAI03.05 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.5.1 + A.12.6.2 + A.12.7.1 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 5 + 6 + 8 + 9 + 0988 + 1405 + Any process which receives messages from the network incurs some risk +of receiving malicious messages. This risk can be eliminated for +rsyslog by configuring it not to listen on the network. + + + + + + + + + + + Ensure All Logs are Rotated by logrotate + +Edit the file /etc/logrotate.d/syslog. Find the first + +line, which should look like this (wrapped for clarity): +/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \ + /var/log/boot.log /var/log/cron { +Edit this line so that it contains a one-space-separated +listing of each log file referenced in /etc/rsyslog.conf. + +All logs in use on a system must be rotated regularly, or the +log files will consume disk space over time, eventually interfering +with system operation. The file /etc/logrotate.d/syslog is the +configuration file used by the logrotate program to maintain all +log files written by syslog. By default, it rotates logs weekly and +stores four archival copies of each log. These settings can be +modified by editing /etc/logrotate.conf, but the defaults are +sufficient for purposes of this guide. + +Note that logrotate is run nightly by the cron job +/etc/cron.daily/logrotate. If particularly active logs need to be +rotated more often than once a day, some other mechanism must be +used. + + + Ensure Logrotate Runs Periodically + The logrotate utility allows for the automatic rotation of +log files. The frequency of rotation is specified in /etc/logrotate.conf, +which triggers a cron task. To configure logrotate to run daily, add or correct +the following line in /etc/logrotate.conf: +# rotate log files frequency +daily + CCI-000366 + CM-6(a) + PR.PT-1 + Req-10.7 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + BP28(R43) + NT12(R18) + Log files that are not properly rotated run the risk of growing so large +that they fill up the /var/log partition. Valuable logging information could be lost +if the /var/log partition becomes full. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +LOGROTATE_CONF_FILE="/etc/logrotate.conf" +CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" + +# daily rotation is configured +grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE + +# remove any line configuring weekly, monthly or yearly rotation +sed -i '/^\s*\(weekly\|monthly\|yearly\).*$/d' $LOGROTATE_CONF_FILE + +# configure cron.daily if not already +if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then + echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE + echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Configure daily log rotation in /etc/logrotate.conf + lineinfile: + create: true + dest: /etc/logrotate.conf + regexp: ^daily$ + line: daily + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - configure_strategy + - ensure_logrotate_activated + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf + lineinfile: + create: false + dest: /etc/logrotate.conf + regexp: ^[\s]*(weekly|monthly|yearly)$ + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - configure_strategy + - ensure_logrotate_activated + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Configure cron.daily if not already + block: + + - name: Add shebang + lineinfile: + path: /etc/cron.daily/logrotate + line: '#!/bin/sh' + insertbefore: BOF + create: true + + - name: Add logrotate call + lineinfile: + path: /etc/cron.daily/logrotate + line: /usr/sbin/logrotate /etc/logrotate.conf + regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.7 + - configure_strategy + - ensure_logrotate_activated + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. + mode: 0644 + path: /etc/logrotate.conf + overwrite: true + + + + + + + + + + + Rsyslog Logs Sent To Remote Host + If system logs are to be useful in detecting malicious +activities, it is necessary to send logs to a remote server. An +intruder who has compromised the root account on a system may +delete the log entries which indicate that the system was attacked +before they are seen by an administrator. + +However, it is recommended that logs be stored on the local +host in addition to being sent to the loghost, especially if +rsyslog has been configured to use the UDP protocol to send +messages over a network. UDP does not guarantee reliable delivery, +and moderately busy sites will lose log messages occasionally, +especially in periods of high traffic which may be the result of an +attack. In addition, remote rsyslog messages are not +authenticated in any way by default, so it is easy for an attacker to +introduce spurious messages to the central log server. Also, some +problems cause loss of network connectivity, which will prevent the +sending of messages to the central server. For all of these reasons, it is +better to store log messages both centrally and on each host, so +that they can be correlated if necessary. + + + Remote Log Server + Specify an URI or IP address of a remote host where the log messages will be sent and stored. + logcollector + + + Configure TLS for rsyslog remote logging + Configure rsyslog to use Transport Layer +Security (TLS) support for logging to remote server +for the Forwarding Output Module in /etc/rsyslog.conf +using action. You can use the following command: +echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" + StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf + +Replace the <remote system> in the above command with an IP address or a host name of the remote logging server. + AU-9(3) + CM-6(a) + FCS_TLSC_EXT.1 + FTP_ITC_EXT.1.1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000120-GPOS-00061 + 0988 + 1405 + BP28(R43) + For protection of data being logged, the connection to the +remote logging server needs to be authenticated and encrypted. + + + + + + + + + + Ensure Logs Sent To Remote Host + To configure rsyslog to send logs to a remote log server, +open /etc/rsyslog.conf and read and understand the last section of the file, +which describes the multiple directives necessary to activate remote +logging. +Along with these other directives, the system can be configured +to forward its logs to a particular log server by +adding or correcting one of the following lines, +substituting appropriately. +The choice of protocol depends on the environment of the system; +although TCP and RELP provide more reliable message delivery, +they may not be supported in all environments. + +To use UDP for log message delivery: +*.* @ + +To use TCP for log message delivery: +*.* @@ + +To use RELP for log message delivery: +*.* :omrelp: + +There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. + BP28(R7) + NT28(R43) + NT12(R5) + CCI-000366 + CCI-001348 + CCI-000136 + CCI-001851 + 164.308(a)(1)(ii)(D) + 164.308(a)(5)(ii)(B) + 164.308(a)(5)(ii)(C) + 164.308(a)(6)(ii) + 164.308(a)(8) + 164.310(d)(2)(iii) + 164.312(b) + 164.314(a)(2)(i)(C) + 164.314(a)(2)(iii) + A.12.1.3 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.17.2.1 + CM-6(a) + AU-4(1) + AU-9(2) + PR.DS-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000479-GPOS-00224 + SRG-OS-000480-GPOS-00227 + SRG-OS-000342-GPOS-00133 + SRG-OS-000032-VMM-000130 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 7.1 + SR 7.2 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + APO13.01 + BAI03.05 + BAI04.04 + DSS05.04 + DSS05.07 + MEA02.01 + 1 + 13 + 14 + 15 + 16 + 2 + 3 + 5 + 6 + 0988 + 1405 + A log server (loghost) receives syslog messages from one or more +systems. This data can be used as an additional log source in the event a +system is compromised and its local logs are suspect. Forwarding log messages +to a remote loghost also provides system administrators with a centralized +place to view the status of multiple hosts within the enterprise. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +rsyslog_remote_loghost_address="" + +replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '' '%s %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value rsyslog_remote_loghost_address # promote to variable + set_fact: + rsyslog_remote_loghost_address: !!str + tags: + - always + +- name: Set rsyslog remote loghost + lineinfile: + dest: /etc/rsyslog.conf + regexp: ^\*\.\* + line: '*.* @@{{ rsyslog_remote_loghost_address }}' + create: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-4(1) + - NIST-800-53-AU-9(2) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - rsyslog_remote_loghost + + + + + + + + + + Configure CA certificate for rsyslog remote logging + Configure CA certificate for rsyslog logging +to remote server using Transport Layer Security (TLS) +using correct path for the DefaultNetstreamDriverCAFile +global option in /etc/rsyslog.conf, for example with the following command: +echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf +Replace the /etc/pki/tls/cert.pem in the above command with the path to the file with CA certificate generated for the purpose of remote logging. + FCS_TLSC_EXT.1 + FTP_ITC_EXT.1.1 + SRG-OS-000480-GPOS-00227 + 0988 + 1405 + BP28(R43) + The CA certificate needs to be set or rsyslog.service +fails to start with +error: ca certificate is not set, cannot continue + + + + + + + + + + + Ensure Proper Configuration of Log Files + The file /etc/rsyslog.conf controls where log message are written. +These are controlled by lines called rules, which consist of a +selector and an action. +These rules are often customized depending on the role of the system, the +requirements of the environment, and whatever may enable +the administrator to most effectively make use of log data. +The default rules in Fedora are: +*.info;mail.none;authpriv.none;cron.none /var/log/messages +authpriv.* /var/log/secure +mail.* -/var/log/maillog +cron.* /var/log/cron +*.emerg * +uucp,news.crit /var/log/spooler +local7.* /var/log/boot.log +See the man page rsyslog.conf(5) for more information. +Note that the rsyslog daemon can be configured to use a timestamp format that +some log processing programs may not understand. If this occurs, +edit the file /etc/rsyslog.conf and add or edit the following line: +$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + + + group who owns log files + Specify group owner of all logfiles specified in +/etc/rsyslog.conf. + root + adm + root + + + User who owns log files + Specify user owner of all logfiles specified in +/etc/rsyslog.conf. + root + adm + root + syslog + + + Ensure Log Files Are Owned By Appropriate User + The owner of all log files written by +rsyslog should be . +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +For each log file LOGFILE referenced in /etc/rsyslog.conf, +run the following command to inspect the file's owner: +$ ls -l LOGFILE +If the owner is not , run the following command to +correct this: +$ sudo chown LOGFILE + BP28(R46) + BP28(R5) + CCI-001314 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-10.5.1 + Req-10.5.2 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 0988 + 1405 + The log files generated by rsyslog contain valuable information regarding system +configuration, user authentication, and other such information. Log files should be +protected from unauthorized access. + + + + + + + + + + Ensure cron Is Logging To Rsyslog + Cron logging must be implemented to spot intrusions or trace +cron job status. If cron is not logging to rsyslog, it +can be implemented by adding the following to the RULES section of +/etc/rsyslog.conf: +cron.* /var/log/cron + CCI-000366 + CM-6(a) + ID.SC-4 + PR.PT-1 + FAU_GEN.1.1.c + SRG-OS-000480-GPOS-00227 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + SR 6.1 + 4.3.2.6.7 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO10.01 + APO10.03 + APO10.04 + APO10.05 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA01.01 + MEA01.02 + MEA01.03 + MEA01.04 + MEA01.05 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.15.2.1 + A.15.2.2 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + 0988 + 1405 + Cron logging can be used to trace the successful or unsuccessful execution +of cron jobs. It can also be used to spot intrusions into the use of the cron +facility by unauthorized and malicious users. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + mkdir -p /etc/rsyslog.d + echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Ensure Log Files Are Owned By Appropriate Group + The group-owner of all log files written by +rsyslog should be . +These log files are determined by the second part of each Rule line in +/etc/rsyslog.conf and typically all appear in /var/log. +For each log file LOGFILE referenced in /etc/rsyslog.conf, +run the following command to inspect the file's group owner: +$ ls -l LOGFILE +If the owner is not , run the following command to +correct this: +$ sudo chgrp LOGFILE + BP28(R46) + BP28(R5) + CCI-001314 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-10.5.1 + Req-10.5.2 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 0988 + 1405 + The log files generated by rsyslog contain valuable information regarding system +configuration, user authentication, and other such information. Log files should be +protected from unauthorized access. + + + + + + + + + + Ensure System Log Files Have Correct Permissions + The file permissions for all log files written by rsyslog should +be set to 600, or more restrictive. These log files are determined by the +second part of each Rule line in /etc/rsyslog.conf and typically +all appear in /var/log. For each log file LOGFILE +referenced in /etc/rsyslog.conf, run the following command to +inspect the file's permissions: +$ ls -l LOGFILE +If the permissions are not 600 or more restrictive, run the following +command to correct this: +$ sudo chmod 0600 LOGFILE" + BP28(R36) + CCI-001314 + CM-6(a) + AC-6(1) + Req-10.5.1 + Req-10.5.2 + 0988 + 1405 + Log files can contain valuable information regarding system +configuration. If the system log files are not protected unauthorized +users could change the logged data, eliminating their forensic value. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# List of log file paths to be inspected for correct permissions +# * Primarily inspect log file paths listed in /etc/rsyslog.conf +RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" +# * And also the log file paths listed after rsyslog's $IncludeConfig directive +# (store the result into array for the case there's shell glob used as value of IncludeConfig) +readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) + +# Declare an array to hold the final list of different log file paths +declare -a LOG_FILE_PATHS + +# Browse each file selected above as containing paths of log files +# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}" +do + # From each of these files extract just particular log file path(s), thus: + # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, + # * Ignore empty lines, + # * Strip quotes and closing brackets from paths. + # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files + # * From the remaining valid rows select only fields constituting a log file path + # Text file column is understood to represent a log file path if and only if all of the following are met: + # * it contains at least one slash '/' character, + # * it is preceded by space + # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters + # Search log file for path(s) only in case it exists! + if [[ -f "${LOG_FILE}" ]] + then + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[[:space:]|#|$]/d" "${LOG_FILE}") + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+' <<< "${NORMALIZED_CONFIG_FILE_LINES}") + FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}") + CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") + MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") + # Since above sed command might return more than one item (delimited by newline), split the particular + # matches entries into new array specific for this log file + readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" + # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with + # items from newly created array for this log file + LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") + # Delete the temporary array + unset ARRAY_FOR_LOG_FILE + fi +done + +for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" +do + # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing + if [ -z "$LOG_FILE_PATH" ] + then + continue + fi + + # Also for each log file check if its permissions differ from 600. If so, correct them + if [ -f "$LOG_FILE_PATH" ] && [ "$(/usr/bin/stat -c %a "$LOG_FILE_PATH")" -ne 600 ] + then + /bin/chmod 600 "$LOG_FILE_PATH" + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + Configure Logwatch on the Central Log Server + Is this system the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below. + + + Configure Logwatch SplitHosts Line + If SplitHosts is set, Logwatch will separate entries by hostname. +This makes the report longer but significantly more usable. If it is not +set, then Logwatch will not report which host generated a given log entry, +and that information is almost always necessary + SplitHosts = yes + + + + + + + + Configure Logwatch HostLimit Line + On a central logserver, you want Logwatch to summarize all syslog entries, +including those which did not originate on the logserver itself. The +HostLimit setting tells Logwatch to report on all hosts, not just +the one on which it is running. + HostLimit = no + + + + + + + + + + Network Configuration and Firewalls + Most systems must be connected to a network of some +sort, and this brings with it the substantial risk of network +attack. This section discusses the security impact of decisions +about networking which must be made when configuring a system. + +This section also discusses firewalls, network access +controls, and other network security frameworks, which allow +system-level rules to be written that can limit an attackers' ability +to connect to your system. These rules can specify that network +traffic should be allowed or denied from certain IP addresses, +hosts, and networks. The rules can also specify which of the +system's network services are available to particular hosts or +networks. + + Ensure System is Not Acting as a Network Sniffer + The system should not be acting as a network sniffer, which can +capture all traffic on the network to which it is connected. Run the following +to determine if any interface is running in promiscuous mode: +$ ip link | grep PROMISC +Promiscuous mode of an interface can be disabled with the following command: +$ sudo ip link set dev device_name multicast off promisc off + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + CM-7(2) + MA-3 + DE.DP-5 + ID.AM-1 + PR.IP-1 + PR.MA-1 + PR.PT-3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + SR 7.8 + 4.2.3.4 + 4.3.3.3.7 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.4 + APO11.06 + APO12.06 + BAI03.10 + BAI09.01 + BAI09.02 + BAI09.03 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.05 + DSS04.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.11.1.2 + A.11.2.4 + A.11.2.5 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.16.1.6 + A.8.1.1 + A.8.1.2 + A.9.1.2 + 1 + 11 + 14 + 3 + 9 + Network interfaces in promiscuous mode allow for the capture of all network traffic +visible to the system. If unauthorized individuals can access these applications, it +may allow them to collect information such as logon IDs, passwords, and key exchanges +between systems. + +If the system is being used to perform a network troubleshooting function, the use of these +tools must be documented with the Information Systems Security Manager (ISSM) and restricted +to only authorized personnel. + + + + + + + + + + Disable Zeroconf Networking + Zeroconf networking allows the system to assign itself an IP +address and engage in IP communication without a statically-assigned address or +even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not +recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 +subnet, add or correct the following line in /etc/sysconfig/network: +NOZEROCONF=yes + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + PR.IP-1 + PR.PT-3 + Zeroconf addresses are in the network 169.254.0.0. The networking +scripts add entries to the system's routing table for these addresses. Zeroconf +address assignment commonly occurs when the system is configured to use DHCP +but fails to receive an address assignment from the DHCP server. + + + + + + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + By default, non-privileged users are given permissions to modify networking +interfaces and configurations using the nmcli command. Non-privileged +users should not be making configuration changes to network configurations. To +ensure that non-privileged users do not have permissions to make changes to the +network configuration using nmcli, create the following configuration in +/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla: + +[Disable General User Access to NetworkManager] +Identity=default +Action=org.freedesktop.NetworkManager.* +ResultAny=no +ResultInactive=no +ResultActive=auth_admin + + 3.1.16 + AC-18(4) + CM-6(a) + 0418 + 1055 + 1402 + Allowing non-privileged users to make changes to network settings can allow +untrusted access, prevent system availability, and/or can lead to a compromise or +attack. + +printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla + + - name: Ensure non-privileged users do not have access to nmcli + ini_file: + path: /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla + section: Disable General User Access to NetworkManager + option: '{{ item.option }}' + value: '{{ item.value }}' + no_extra_spaces: true + create: true + loop: + - option: Identity + value: default + - option: Action + value: org.freedesktop.NetworkManager.* + - option: ResultAny + value: 'no' + - option: ResultInactive + value: 'no' + - option: ResultActive + value: auth_admin + tags: + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(4) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - network_nmcli_permissions + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Uncommon Network Protocols + The system includes support for several network protocols which are not commonly used. +Although security vulnerabilities in kernel networking code are not frequently discovered, +the consequences can be dramatic. Ensuring uncommon network protocols are disabled +reduces the system's risk to attacks targeted at its implementation of those protocols. + Although these protocols are not commonly used, avoid disruption +in your network environment by ensuring they are not needed +prior to disabling them. + + + Disable RDS Support + The Reliable Datagram Sockets (RDS) protocol is a transport +layer protocol designed to provide reliable high-bandwidth, +low-latency communications between nodes in a cluster. + +To configure the system to prevent the rds +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install rds /bin/true + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Disabling RDS protects +the system against exploitation of any flaws in its implementation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then + sed -i 's/^install rds.*/install rds /bin/true/g' /etc/modprobe.d/rds.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf + echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'rds' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/rds.conf + regexp: rds + line: install rds /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_rds_disabled + - low_complexity + - low_severity + - medium_disruption + - reboot_required + + + + + + + + + + Disable IEEE 1394 (FireWire) Support + The IEEE 1394 (FireWire) is a serial bus standard for +high-speed real-time communication. + +To configure the system to prevent the firewire-core +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install firewire-core /bin/true + FMT_SMF_EXT.1 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Disabling FireWire protects the system against exploitation of any +flaws in its implementation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then + sed -i 's/^install firewire-core.*/install firewire-core /bin/true/g' /etc/modprobe.d/firewire-core.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf + echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'firewire-core' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/firewire-core.conf + regexp: firewire-core + line: install firewire-core /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - kernel_module_firewire-core_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20firewire-core%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_firewire-core_disabled.conf + overwrite: true + + + + + + + + + + Disable TIPC Support + The Transparent Inter-Process Communication (TIPC) protocol +is designed to provide communications between nodes in a +cluster. + +To configure the system to prevent the tipc +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install tipc /bin/true + This configuration baseline was created to deploy the base operating system for general purpose +workloads. When the operating system is configured for certain purposes, such as +a node in High Performance Computing cluster, it is expected that +the tipc kernel module will be loaded. + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + FMT_SMF_EXT.1 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Disabling TIPC protects +the system against exploitation of any flaws in its implementation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then + sed -i 's/^install tipc.*/install tipc /bin/true/g' /etc/modprobe.d/tipc.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf + echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'tipc' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/tipc.conf + regexp: tipc + line: install tipc /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_tipc_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20tipc%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_tipc_disabled.conf + overwrite: true + + + + + + + + + + Disable DCCP Support + The Datagram Congestion Control Protocol (DCCP) is a +relatively new transport layer protocol, designed to support +streaming media and telephony. + +To configure the system to prevent the dccp +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install dccp /bin/true + 5.10.1 + 3.4.6 + CCI-001958 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + SRG-OS-000096-GPOS-00050 + SRG-OS-000378-GPOS-00163 + Disabling DCCP protects +the system against exploitation of any flaws in its implementation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then + sed -i 's/^install dccp.*/install dccp /bin/true/g' /etc/modprobe.d/dccp.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf + echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'dccp' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/dccp.conf + regexp: dccp + line: install dccp /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1 + - NIST-800-171-3.4.6 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_dccp_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + + + + + + + + + Disable ATM Support + The Asynchronous Transfer Mode (ATM) is a protocol operating on +network, data link, and physical layers, based on virtual circuits +and virtual paths. + +To configure the system to prevent the atm +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install atm /bin/true + FMT_SMF_EXT.1 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Disabling ATM protects the system against exploitation of any +flaws in its implementation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then + sed -i 's/^install atm.*/install atm /bin/true/g' /etc/modprobe.d/atm.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf + echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'atm' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/atm.conf + regexp: atm + line: install atm /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - kernel_module_atm_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20atm%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_atm_disabled.conf + overwrite: true + + + + + + + + + + Disable CAN Support + The Controller Area Network (CAN) is a serial communications +protocol which was initially developed for automotive and +is now also used in marine, industrial, and medical applications. + +To configure the system to prevent the can +kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d: +install can /bin/true + FMT_SMF_EXT.1 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Disabling CAN protects the system against exploitation of any +flaws in its implementation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then + sed -i 's/^install can.*/install can /bin/true/g' /etc/modprobe.d/can.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf + echo "install can /bin/true" >> /etc/modprobe.d/can.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'can' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/can.conf + regexp: can + line: install can /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - kernel_module_can_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20can%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_can_disabled.conf + overwrite: true + + + + + + + + + + + Wireless Networking + Wireless networking, such as 802.11 +(WiFi) and Bluetooth, can present a security risk to sensitive or +classified systems and networks. Wireless networking hardware is +much more likely to be included in laptop or portable systems than +in desktops or servers. + +Removal of hardware provides the greatest assurance that the wireless +capability remains disabled. Acquisition policies often include provisions to +prevent the purchase of equipment that will be used in sensitive spaces and +includes wireless capabilities. If it is impractical to remove the wireless +hardware, and policy permits the device to enter sensitive spaces as long +as wireless is disabled, efforts should instead focus on disabling wireless capability +via software. + + Disable Wireless Through Software Configuration + If it is impossible to remove the wireless hardware +from the device in question, disable as much of it as possible +through software. The following methods can disable software +support for wireless networking, but note that these methods do not +prevent malicious software or careless users from re-activating the +devices. + + Disable Bluetooth Service + +The bluetooth service can be disabled with the following command: +$ sudo systemctl mask --now bluetooth.service +$ sudo service bluetooth stop + 3.1.16 + CCI-000085 + CCI-001551 + AC-18(a) + AC-18(3) + CM-7(a) + CM-7(b) + CM-6(a) + MP-7 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + Disabling the bluetooth service prevents the system from attempting +connections to Bluetooth devices, which entails some security risk. +Nevertheless, variation in this risk decision may be expected due to the +utility of Bluetooth connectivity and its limited range. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'bluetooth.service' +"$SYSTEMCTL_EXEC" disable 'bluetooth.service' +"$SYSTEMCTL_EXEC" mask 'bluetooth.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^bluetooth.socket'; then + "$SYSTEMCTL_EXEC" stop 'bluetooth.socket' + "$SYSTEMCTL_EXEC" mask 'bluetooth.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'bluetooth.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service bluetooth + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service bluetooth + systemd: + name: bluetooth.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"bluetooth.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_bluetooth_disabled + +- name: Unit Socket Exists - bluetooth.socket + command: systemctl list-unit-files bluetooth.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_bluetooth_disabled + +- name: Disable socket bluetooth + systemd: + name: bluetooth.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"bluetooth.socket" in socket_file_exists.stdout_lines[1]' + tags: + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_bluetooth_disabled + + include disable_bluetooth + +class disable_bluetooth { + service {'bluetooth': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: bluetooth.service + enabled: false + mask: true + - name: bluetooth.socket + enabled: false + mask: true + + + + + + + + + + Disable Bluetooth Kernel Module + The kernel's module loading system can be configured to prevent +loading of the Bluetooth module. Add the following to +the appropriate /etc/modprobe.d configuration file +to prevent the loading of the Bluetooth module: +install bluetooth /bin/true + 5.13.1.3 + 3.1.16 + CCI-000085 + CCI-001551 + CCI-001443 + AC-18(a) + AC-18(3) + CM-7(a) + CM-7(b) + CM-6(a) + MP-7 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + SRG-OS-000095-GPOS-00049 + SRG-OS-000300-GPOS-00118 + If Bluetooth functionality must be disabled, preventing the kernel +from loading the kernel module provides an additional safeguard against its +activation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then + sed -i 's/^install bluetooth.*/install bluetooth /bin/true/g' /etc/modprobe.d/bluetooth.conf +else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf + echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure kernel module 'bluetooth' is disabled + lineinfile: + create: true + dest: /etc/modprobe.d/bluetooth.conf + regexp: bluetooth + line: install bluetooth /bin/true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.13.1.3 + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - disable_strategy + - kernel_module_bluetooth_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,install%20bluetooth%20/bin/true%0A + mode: 0644 + path: /etc/modprobe.d/75-kernel_module_bluetooth_disabled.conf + overwrite: true + + + + + + + + + + Deactivate Wireless Network Interfaces + Deactivating wireless network interfaces should prevent +normal usage of the wireless capability. + + +Configure the system to disable all wireless network interfaces with the +following command: +$ sudo nmcli radio wifi off + 3.1.16 + CCI-000085 + CCI-002418 + CCI-002421 + CCI-001444 + AC-18(a) + AC-18(3) + CM-7(a) + CM-7(b) + CM-6(a) + MP-7 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000299-GPOS-00117 + SRG-OS-000300-GPOS-00118 + SRG-OS-000424-GPOS-00188 + SRG-OS-000481-GPOS-000481 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + 1315 + 1319 + The use of wireless networking can introduce many different attack vectors into +the organization's network. Common attack vectors such as malicious association +and ad hoc networks will allow an attacker to spoof a wireless access point +(AP), allowing validated systems to connect to the malicious AP and enabling the +attacker to monitor and record network traffic. These malicious APs can also +serve to create a man-in-the-middle attack or be used to create a denial of +service to valid network resources. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +nmcli radio wifi off + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Deactivate Wireless Network Interfaces + command: nmcli radio wifi off + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.16 + - NIST-800-53-AC-18(3) + - NIST-800-53-AC-18(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-MP-7 + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - unknown_strategy + - wireless_disable_interfaces + + + + + + + + + + Disable WiFi or Bluetooth in BIOS + Some machines that include built-in wireless support offer the +ability to disable the device through the BIOS. This is hardware-specific; +consult your hardware manual or explore the BIOS setup during +boot. + CCI-000085 + AC-18(a) + AC-18(3) + CM-7(a) + CM-7(b) + CM-6(a) + MP-7 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + Disabling wireless support in the BIOS prevents easy +activation of the wireless interface, generally requiring administrators +to reboot the system first. + + + + + + Disable Unused Interfaces + Network interfaces expand the attack surface of the +system. Unused interfaces are not monitored or controlled, and +should be disabled. + +If the system does not require network communications but still +needs to use the loopback interface, remove all files of the form +ifcfg-interface except for ifcfg-lo from +/etc/sysconfig/network-scripts: +$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface +If the system is a standalone machine with no need for network access or even +communication over the loopback device, then disable this service. + +The network service can be disabled with the following command: +$ sudo systemctl mask --now network.service + + + SuSEfirewall2 + The SuSEfirewall2 provides a managed firewall. + + + iptables and ip6tables + A host-based firewall called netfilter is included as +part of the Linux kernel distributed with the system. It is +activated by default. This firewall is controlled by the program +iptables, and the entire capability is frequently referred to by +this name. An analogous program called ip6tables handles filtering +for IPv6. + +Unlike TCP Wrappers, which depends on the network server +program to support and respect the rules written, netfilter +filtering occurs at the kernel level, before a program can even +process the data from the network packet. As such, any program on +the system is affected by the rules written. + +This section provides basic information about strengthening +the iptables and ip6tables configurations included with the system. +For more complete information that may allow the construction of a +sophisticated ruleset tailored to your environment, please consult +the references at the end of this section. + + Install iptables Package + The iptables package can be installed with the following command: + +$ sudo dnf install iptables + CM-6(a) + SRG-OS-000480-GPOS-00227 + iptables controls the Linux kernel network packet filtering +code. iptables allows system operators to set up firewalls and IP +masquerading, etc. + +if ! rpm -q --quiet "iptables" ; then + dnf install -y "iptables" +fi + + - name: Ensure iptables is installed + package: + name: iptables + state: present + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_iptables_installed + + include install_iptables + +class install_iptables { + package { 'iptables': + ensure => 'installed', + } +} + + +package --add=iptables + + +[[packages]] +name = "iptables" +version = "*" + + + + + + + + + + Strengthen the Default Ruleset + The default rules can be strengthened. The system +scripts that activate the firewall rules expect them to be defined +in the configuration files iptables and ip6tables in the directory +/etc/sysconfig. Many of the lines in these files are similar +to the command line arguments that would be provided to the programs +/sbin/iptables or /sbin/ip6tables - but some are quite +different. + +The following recommendations describe how to strengthen the +default ruleset configuration file. An alternative to editing this +configuration file is to create a shell script that makes calls to +the iptables program to load in rules, and then invokes service +iptables save to write those loaded rules to +/etc/sysconfig/iptables. + +The following alterations can be made directly to +/etc/sysconfig/iptables and /etc/sysconfig/ip6tables. +Instructions apply to both unless otherwise noted. Language and address +conventions for regular iptables are used throughout this section; +configuration for ip6tables will be either analogous or explicitly +covered. + The program system-config-securitylevel +allows additional services to penetrate the default firewall rules +and automatically adjusts /etc/sysconfig/iptables. This program +is only useful if the default ruleset meets your security +requirements. Otherwise, this program should not be used to make +changes to the firewall configuration because it re-writes the +saved configuration file. + + Set Default iptables Policy for Incoming Packets + To set the default policy to DROP (instead of ACCEPT) for +the built-in INPUT chain which processes incoming packets, +add or correct the following line in +/etc/sysconfig/iptables: +:INPUT DROP [0:0] + CA-3(5) + CM-7(b) + SC-7(23) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + In iptables the default policy is applied only after all +the applicable rules in the table are examined for a match. Setting the +default policy to DROP implements proper design for a firewall, i.e. +any packets which are not explicitly permitted should not be +accepted. + + + + + + Set Default iptables Policy for Forwarded Packets + To set the default policy to DROP (instead of ACCEPT) for +the built-in FORWARD chain which processes packets that will be forwarded from +one interface to another, +add or correct the following line in +/etc/sysconfig/iptables: +:FORWARD DROP [0:0] + CA-3(5) + CM-7(b) + SC-7(23) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + In iptables, the default policy is applied only after all +the applicable rules in the table are examined for a match. Setting the +default policy to DROP implements proper design for a firewall, i.e. +any packets which are not explicitly permitted should not be +accepted. + + + + + + Restrict ICMP Message Types + In /etc/sysconfig/iptables, the accepted ICMP messages +types can be restricted. To accept only ICMP echo reply, destination +unreachable, and time exceeded messages, remove the line: +-A INPUT -p icmp --icmp-type any -j ACCEPT +and insert the lines: +-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT +-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT +-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT +To allow the system to respond to pings, also insert the following line: +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +Ping responses can also be limited to certain networks or hosts by using the -s +option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is +preferable to deny the ICMPv6 packets you know you don't need (e.g. ping +requests) in /etc/sysconfig/ip6tables, while letting everything else +through: +-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP +If you are going to statically configure the system's address, it should +ignore Router Advertisements which could add another IPv6 address to the +interface or alter important network settings: +-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP +Restricting ICMPv6 message types in /etc/sysconfig/ip6tables is not +recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great +care must be taken if any other ICMPv6 types are blocked. + + + Log and Drop Packets with Suspicious Source Addresses + Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the +modified policy will reject non-matching packets, you only need to add these rules if you are interested in also +logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious +traffic, add identical rules with a target of DROP after each LOG. +To log and then drop these IPv4 packets, insert the following rules in /etc/sysconfig/iptables (excepting +any that are intentionally used): +-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " +-A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " +-A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " +-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " +-A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " +-A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " +Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected +on your network: +-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " +-A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +-A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +-A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +-A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +-A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +-A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +-A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " +If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those: +-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " +-A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: " +If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and +do not plan to have any services that multicast to the entire local network), you can block the link-local +all-nodes multicast address (before accepting incoming ICMPv6): +-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: " +However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should +then consider logging the non-routable IPv4-compatible addresses: +-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " +-A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " +-A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " +-A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: " +If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped: +-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " +-A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: " +The following rule will log all traffic originating from a site-local address, which is deprecated address space: +-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: " + + + + Inspect and Activate Default Rules + View the currently-enforced iptables rules by running +the command: +$ sudo iptables -nL --line-numbers +The command is analogous for ip6tables. + +If the firewall does not appear to be active (i.e., no rules +appear), activate it and ensure that it starts at boot by issuing +the following commands (and analogously for ip6tables): +$ sudo service iptables restart +The default iptables rules are: +Chain INPUT (policy ACCEPT) +num target prot opt source destination +1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED +2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 +5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited + +Chain FORWARD (policy ACCEPT) +num target prot opt source destination +1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited + +Chain OUTPUT (policy ACCEPT) +num target prot opt source destination +The ip6tables default rules are essentially the same. + + Verify ip6tables Enabled if Using IPv6 + +The ip6tables service can be enabled with the following command: +$ sudo systemctl enable ip6tables.service + AC-4 + CM-7(b) + CA-3(5) + SC-7(21) + CM-6(a) + DE.AE-1 + ID.AM-3 + PR.AC-5 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 6 + 8 + 9 + The ip6tables service provides the system's host-based firewalling +capability for IPv6 and ICMPv6. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ip6tables.service' +"$SYSTEMCTL_EXEC" start 'ip6tables.service' +"$SYSTEMCTL_EXEC" enable 'ip6tables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service ip6tables + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service ip6tables + service: + name: ip6tables + enabled: 'yes' + state: started + masked: 'no' + when: + - '"iptables-ipv6" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_ip6tables_enabled + + include enable_ip6tables + +class enable_ip6tables { + service {'ip6tables': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Verify iptables Enabled + +The iptables service can be enabled with the following command: +$ sudo systemctl enable iptables.service + AC-4 + CM-7(b) + CA-3(5) + SC-7(21) + CM-6(a) + DE.AE-1 + ID.AM-3 + PR.AC-5 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 6 + 8 + 9 + The iptables service provides the system's host-based firewalling +capability for IPv4 and ICMP. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'iptables.service' +"$SYSTEMCTL_EXEC" start 'iptables.service' +"$SYSTEMCTL_EXEC" enable 'iptables.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service iptables + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service iptables + service: + name: iptables + enabled: 'yes' + state: started + masked: 'no' + when: + - '"iptables" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_iptables_enabled + + include enable_iptables + +class enable_iptables { + service {'iptables': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Set Default ip6tables Policy for Incoming Packets + To set the default policy to DROP (instead of ACCEPT) for +the built-in INPUT chain which processes incoming packets, +add or correct the following line in +/etc/sysconfig/ip6tables: +:INPUT DROP [0:0] +If changes were required, reload the ip6tables rules: +$ sudo service ip6tables reload + AC-4 + CM-7(b) + CA-3(5) + SC-7(21) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + In ip6tables, the default policy is applied only after all +the applicable rules in the table are examined for a match. Setting the +default policy to DROP implements proper design for a firewall, i.e. +any packets which are not explicitly permitted should not be +accepted. + + + + + + + + IPSec Support + Support for Internet Protocol Security (IPsec) +is provided with Libreswan. + + Install libreswan Package + The Libreswan package provides an implementation of IPsec +and IKE, which permits the creation of secure tunnels over +untrusted networks. The libreswan package can be installed with the following command: + +$ sudo dnf install libreswan + CCI-001130 + CCI-001131 + CM-6(a) + PR.AC-3 + PR.MA-2 + PR.PT-4 + Req-4.1 + SR 1.13 + SR 2.6 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + APO13.01 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.04 + A.11.2.4 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.15.1.1 + A.15.2.1 + A.6.2.1 + A.6.2.2 + 12 + 15 + 3 + 5 + 8 + SRG-OS-000480-GPOS-00227 + SRG-OS-000120-GPOS-00061 + Providing the ability for remote users or systems +to initiate a secure VPN connection protects information when it is +transmitted over a wide area network. + +if ! rpm -q --quiet "libreswan" ; then + dnf install -y "libreswan" +fi + + - name: Ensure libreswan is installed + package: + name: libreswan + state: present + tags: + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-4.1 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_libreswan_installed + + include install_libreswan + +class install_libreswan { + package { 'libreswan': + ensure => 'installed', + } +} + + +package --add=libreswan + + +[[packages]] +name = "libreswan" +version = "*" + + + + + + + + + + Verify Any Configured IPSec Tunnel Connections + Libreswan provides an implementation of IPsec +and IKE, which permits the creation of secure tunnels over +untrusted networks. As such, IPsec can be used to circumvent certain +network requirements such as filtering. Verify that if any IPsec connection +(conn) configured in /etc/ipsec.conf and /etc/ipsec.d +exists is an approved organizational connection. + CCI-000336 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + MA-4(6) + CM-6(a) + AC-4 + SC-8 + DE.AE-1 + ID.AM-3 + PR.AC-5 + PR.DS-5 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.4.3.3 + APO01.06 + APO13.01 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 4 + 6 + 8 + 9 + IP tunneling mechanisms can be used to bypass network filtering. + + + + + + + firewalld + The dynamic firewall daemon firewalld provides a +dynamically managed firewall with support for network “zones” to assign +a level of trust to a network and its associated connections and interfaces. +It has support for IPv4 and IPv6 firewall settings. It supports Ethernet +bridges and has a separation of runtime and permanent configuration options. +It also has an interface for services or applications to add firewall rules +directly. + +A graphical configuration tool, firewall-config, is used to configure +firewalld, which in turn uses iptables tool to communicate +with Netfilter in the kernel which implements packet filtering. + +The firewall service provided by firewalld is dynamic rather than +static because changes to the configuration can be made at anytime and are +immediately implemented. There is no need to save or apply the changes. No +unintended disruption of existing network connections occurs as no part of +the firewall has to be reloaded. + + + Inspect and Activate Default firewalld Rules + Firewalls can be used to separate networks into different zones +based on the level of trust the user has decided to place on the devices and +traffic within that network. NetworkManager informs firewalld to which +zone an interface belongs. An interface's assigned zone can be changed by +NetworkManager or via the firewall-config tool. + +The zone settings in /etc/firewalld/ are a range of preset settings +which can be quickly applied to a network interface. These are the zones +provided by firewalld sorted according to the default trust level of the +zones from untrusted to trusted: +dropAny incoming network packets are dropped, there is no +reply. Only outgoing network connections are possible.blockAny incoming network connections are rejected with an +icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited +for IPv6. Only network connections initiated from within the system are +possible.publicFor use in public areas. You do not trust the other +computers on the network to not harm your computer. Only selected incoming +connections are accepted.externalFor use on external networks with masquerading enabled +especially for routers. You do not trust the other computers on the network to +not harm your computer. Only selected incoming connections are accepted.dmzFor computers in your demilitarized zone that are +publicly-accessible with limited access to your internal network. Only selected +incoming connections are accepted.workFor use in work areas. You mostly trust the other computers +on networks to not harm your computer. Only selected incoming connections are +accepted.homeFor use in home areas. You mostly trust the other computers +on networks to not harm your computer. Only selected incoming connections are +accepted.internalFor use on internal networks. You mostly trust the +other computers on the networks to not harm your computer. Only selected +incoming connections are accepted.trustedAll network connections are accepted. + +It is possible to designate one of these zones to be the default zone. When +interface connections are added to NetworkManager, they are assigned +to the default zone. On installation, the default zone in firewalld is set to +be the public zone. + +To find out all the settings of a zone, for example the public zone, +enter the following command as root: +# firewall-cmd --zone=public --list-all +Example output of this command might look like the following: + +# firewall-cmd --zone=public --list-all +public + interfaces: + services: mdns dhcpv6-client ssh + ports: + forward-ports: + icmp-blocks: source-quench + +To view the network zones currently active, enter the following command as root: +# firewall-cmd --get-service +The following listing displays the result of this command +on common Fedora system: + +# firewall-cmd --get-service +amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp +high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd +ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn +pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind +samba samba-client smtp ssh telnet tftp tftp-client transmission-client +vnc-server wbem-https + +Finally to view the network zones that will be active after the next firewalld +service reload, enter the following command as root: +# firewall-cmd --get-service --permanent + + + Verify firewalld Enabled + +The firewalld service can be enabled with the following command: +$ sudo systemctl enable firewalld.service + 3.1.3 + 3.4.7 + CCI-000366 + CCI-000382 + CCI-002314 + AC-4 + CM-7(b) + CA-3(5) + SC-7(21) + CM-6(a) + PR.IP-1 + FMT_MOF_EXT.1 + SRG-OS-000096-GPOS-00050 + SRG-OS-000297-GPOS-00115 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-GPOS-00231 + SRG-OS-000480-GPOS-00232 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Access control methods provide the ability to enhance system security posture +by restricting services and known good IP addresses and address ranges. This +prevents connections from unknown hosts and protocols. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'firewalld.service' +"$SYSTEMCTL_EXEC" start 'firewalld.service' +"$SYSTEMCTL_EXEC" enable 'firewalld.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service firewalld + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service firewalld + service: + name: firewalld + enabled: 'yes' + state: started + masked: 'no' + when: + - '"firewalld" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.3 + - NIST-800-171-3.4.7 + - NIST-800-53-AC-4 + - NIST-800-53-CA-3(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(21) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_firewalld_enabled + + include enable_firewalld + +class enable_firewalld { + service {'firewalld': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + + Strengthen the Default Ruleset + The default rules can be strengthened. The system +scripts that activate the firewall rules expect them to be defined +in configuration files under the /etc/firewalld/services +and /etc/firewalld/zones directories. + +The following recommendations describe how to strengthen the +default ruleset configuration file. An alternative to editing this +configuration file is to create a shell script that makes calls to +the firewall-cmd program to load in rules under the /etc/firewalld/services +and /etc/firewalld/zones directories. + +Instructions apply to both unless otherwise noted. Language and address +conventions for regular firewalld rules are used throughout this section. + The program firewall-config +allows additional services to penetrate the default firewall rules +and automatically adjusts the firewalld ruleset(s). + + + Set Default firewalld Zone for Incoming Packets + To set the default zone to drop for +the built-in default zone which processes incoming IPv4 and IPv6 packets, +modify the following line in +/etc/firewalld/firewalld.conf to be: +DefaultZone=drop + To prevent denying any access to the system, automatic remediation +of this control is not available. Remediation must be automated as +a component of machine provisioning, or followed manually as outlined +above. + 5.10.1 + 3.1.3 + 3.4.7 + 3.13.6 + CCI-000366 + CA-3(5) + CM-7(b) + SC-7(23) + CM-6(a) + PR.IP-1 + PR.PT-3 + FMT_MOF_EXT.1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + 1416 + In firewalld the default zone is applied only after all +the applicable rules in the table are examined for a match. Setting the +default zone to drop implements proper design for a firewall, i.e. +any packets which are not explicitly permitted should not be +accepted. + + + + + + + + + + + + Transport Layer Security Support + Support for Transport Layer Security (TLS), and its predecessor, the Secure +Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package +openssl). TLS provides encrypted and authenticated network +communications, and many network services include support for it. TLS or SSL +can be leveraged to avoid any plaintext transmission of sensitive data. + +For information on how to use OpenSSL, see +http://www.openssl.org/docs/. Information on FIPS validation +of OpenSSL is available at http://www.openssl.org/docs/fips.html +and http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. + + + Kernel Parameters Which Affect Networking + The sysctl utility is used to set +parameters which affect the operation of the Linux kernel. Kernel parameters +which affect networking and have security implications are described here. + + Network Parameters for Hosts Only + If the system is not going to be used as a router, then setting certain +kernel parameters ensure that the host will not perform routing +of network traffic. + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 + Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. +Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in +profiles or benchmarks that target usage of IPv4 forwarding. + BP28(R22) + 3.1.20 + CCI-000366 + CM-7(a) + CM-7(b) + SC-5 + CM-6(a) + SC-7(a) + DE.CM-1 + PR.DS-4 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.05 + DSS05.07 + DSS06.06 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.9.1.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 7 + 8 + 9 + Routing protocol daemons are typically used on routers to exchange +network topology information with other routers. If this capability is used when +not required, system network information may be unnecessarily transmitted across +the network. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for net.ipv4.ip_forward +# +/sbin/sysctl -q -n -w net.ipv4.ip_forward="0" + +# +# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_forward' "0" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl net.ipv4.ip_forward is set to 0 + sysctl: + name: net.ipv4.ip_forward + value: '0' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_ip_forward + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 + BP28(R22) + 5.10.1.1 + 3.1.20 + CCI-000366 + CM-7(a) + CM-7(b) + SC-5 + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + ICMP redirect messages are used by routers to inform hosts that a more +direct route exists for a particular destination. These messages contain information +from the system's route table possibly revealing portions of the network topology. + +The ability to send ICMP redirects is only appropriate for systems acting as routers. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for net.ipv4.conf.all.send_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0" + +# +# If net.ipv4.conf.all.send_redirects present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.all.send_redirects = 0" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.send_redirects' "0" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0 + sysctl: + name: net.ipv4.conf.all.send_redirects + value: '0' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_send_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.send_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf + overwrite: true + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 + BP28(R22) + 5.10.1.1 + 3.1.20 + CCI-000366 + CM-7(a) + CM-7(b) + SC-5 + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + ICMP redirect messages are used by routers to inform hosts that a more +direct route exists for a particular destination. These messages contain information +from the system's route table possibly revealing portions of the network topology. + +The ability to send ICMP redirects is only appropriate for systems acting as routers. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for net.ipv4.conf.default.send_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0" + +# +# If net.ipv4.conf.default.send_redirects present in /etc/sysctl.conf, change value to "0" +# else, add "net.ipv4.conf.default.send_redirects = 0" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.send_redirects' "0" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0 + sysctl: + name: net.ipv4.conf.default.send_redirects + value: '0' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_send_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.send_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf + overwrite: true + + + + + + + + + + + Network Related Kernel Runtime Parameters for Hosts and Routers + Certain kernel parameters should be set for systems which are +acting as either hosts or routers to improve the system's ability defend +against certain types of IPv4 protocol attacks. + + + net.ipv4.conf.all.accept_redirects + Disable ICMP Redirect Acceptance + 0 + 0 + 1 + + + net.ipv4.conf.all.accept_source_route + Trackers could be using source-routed packets to +generate traffic that seems to be intra-net, but actually was +created outside and has been redirected. + 0 + 0 + 1 + + + net.ipv4.conf.all.log_martians + Disable so you don't Log Spoofed Packets, Source +Routed Packets, Redirect Packets + 1 + 0 + 1 + + + net.ipv4.conf.all.rp_filter + Enable to enforce sanity checking, also called ingress +filtering or egress filtering. The point is to drop a packet if the +source and destination IP addresses in the IP header do not make +sense when considered in light of the physical interface on which +it arrived. + 1 + 0 + 1 + + + net.ipv4.conf.all.secure_redirects + Enable to prevent hijacking of routing path by only +allowing redirects from gateways known in routing +table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces. + 0 + 0 + 1 + + + net.ipv4.conf.default.accept_redirects + Disable ICMP Redirect Acceptance? + 0 + 0 + 1 + + + net.ipv4.conf.default.accept_source_route + Disable IP source routing? + 0 + 0 + 1 + + + net.ipv4.conf.default.log_martians + Disable so you don't Log Spoofed Packets, Source +Routed Packets, Redirect Packets + 1 + 0 + 1 + + + net.ipv4.conf.default.rp_filter + Enables source route verification + 1 + 0 + 1 + + + net.ipv4.conf.default.secure_redirects + Enable to prevent hijacking of routing path by only +allowing redirects from gateways known in routing +table. Disable to refuse acceptance of secure ICMP redirected packages by default. + 0 + 0 + 1 + + + net.ipv4.icmp_echo_ignore_broadcasts + Ignore all ICMP ECHO and TIMESTAMP requests sent to it +via broadcast/multicast + 1 + 0 + 1 + + + net.ipv4.icmp_ignore_bogus_error_responses + Enable to prevent unnecessary logging + 1 + 0 + 1 + + + net.ipv4.tcp_invalid_ratelimit + Configure the maximal rate for sending duplicate acknowledgments in +response to incoming invalid TCP packets. + 500 + 1000 + 500 + 250 + 100 + + + net.ipv4.tcp_rfc1337 + Enable to enable TCP behavior conformant with RFC 1337 + 1 + 0 + 1 + + + net.ipv4.tcp_syncookies + Enable to turn on TCP SYN Cookie +Protection + 1 + 0 + 1 + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 + BP28(R22) + 3.1.20 + CCI-000366 + CM-7(a) + CM-7(b) + SC-5 + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + Source-routed packets allow the source of the packet to suggest routers +forward the packet along a different path than configured on the router, +which can be used to bypass network security measures. This requirement +applies only to the forwarding of source-routerd traffic, such as when IPv4 +forwarding is enabled and the system is functioning as a router. + +Accepting source-routed packets in the IPv4 protocol has few legitimate +uses. It should be disabled unless it is absolutely required. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_all_accept_source_route_value="" + + + +# +# Set runtime for net.ipv4.conf.all.accept_source_route +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value" + +# +# If net.ipv4.conf.all.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.accept_source_route = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_source_route' "$sysctl_net_ipv4_conf_all_accept_source_route_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_source_route_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_all_accept_source_route_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set + sysctl: + name: net.ipv4.conf.all.accept_source_route + value: '{{ sysctl_net_ipv4_conf_all_accept_source_route_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_source_route + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf + overwrite: true + + + + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 + BP28(R22) + 3.1.20 + CM-7(a) + CM-7(b) + SC-5 + DE.CM-1 + PR.DS-4 + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.05 + DSS05.07 + DSS06.06 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.9.1.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Ignoring bogus ICMP error responses reduces +log size, although some activity would not be logged. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value="" + + + +# +# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses +# +/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" + +# +# If net.ipv4.icmp_ignore_bogus_error_responses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.icmp_ignore_bogus_error_responses = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_ignore_bogus_error_responses' "$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value # promote to variable + set_fact: + sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set + sysctl: + name: net.ipv4.icmp_ignore_bogus_error_responses + value: '{{ sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - unknown_severity + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf + overwrite: true + + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 + CCI-000366 + BP28(R22) + 3.1.20 + CM-7(a) + CM-7(b) + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.PT-4 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 4 + 6 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Enabling reverse path filtering drops packets with source addresses +that should not have been able to be received on the interface they were +received on. It should not be used on systems which are routers for +complicated networks, but is helpful for end hosts and routers serving small +networks. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_default_rp_filter_value="" + + + +# +# Set runtime for net.ipv4.conf.default.rp_filter +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value" + +# +# If net.ipv4.conf.default.rp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.rp_filter = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.rp_filter' "$sysctl_net_ipv4_conf_default_rp_filter_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_default_rp_filter_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_default_rp_filter_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.default.rp_filter is set + sysctl: + name: net.ipv4.conf.default.rp_filter + value: '{{ sysctl_net_ipv4_conf_default_rp_filter_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_rp_filter + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.rp_filter%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf + overwrite: true + + + + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1 + BP28(R22) + 3.1.20 + CCI-000126 + CM-7(a) + CM-7(b) + SC-5(3)(a) + DE.CM-1 + PR.AC-3 + PR.DS-4 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.04 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.05 + DSS05.07 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + The presence of "martian" packets (which have impossible addresses) +as well as spoofed packets, source-routed packets, and redirects could be a +sign of nefarious network activity. Logging these packets enables this activity +to be detected. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_all_log_martians_value="" + + + +# +# Set runtime for net.ipv4.conf.all.log_martians +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value" + +# +# If net.ipv4.conf.all.log_martians present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.log_martians = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.log_martians' "$sysctl_net_ipv4_conf_all_log_martians_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_all_log_martians_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_all_log_martians_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.all.log_martians is set + sysctl: + name: net.ipv4.conf.all.log_martians + value: '{{ sysctl_net_ipv4_conf_all_log_martians_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_conf_all_log_martians + - unknown_severity + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.log_martians%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf + overwrite: true + + + + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1 + 3.1.20 + CCI-000126 + CM-7(a) + CM-7(b) + SC-5(3)(a) + DE.CM-1 + PR.AC-3 + PR.DS-4 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.04 + DSS03.05 + DSS05.02 + DSS05.03 + DSS05.05 + DSS05.07 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + The presence of "martian" packets (which have impossible addresses) +as well as spoofed packets, source-routed packets, and redirects could be a +sign of nefarious network activity. Logging these packets enables this activity +to be detected. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_default_log_martians_value="" + + + +# +# Set runtime for net.ipv4.conf.default.log_martians +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value" + +# +# If net.ipv4.conf.default.log_martians present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.log_martians = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.log_martians' "$sysctl_net_ipv4_conf_default_log_martians_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_default_log_martians_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_default_log_martians_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.default.log_martians is set + sysctl: + name: net.ipv4.conf.default.log_martians + value: '{{ sysctl_net_ipv4_conf_default_log_martians_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv4_conf_default_log_martians + - unknown_severity + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.log_martians%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf + overwrite: true + + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 + BP28(R22) + 5.10.1.1 + 3.1.20 + CCI-000366 + CCI-001551 + CM-7(a) + CM-7(b) + SC-5 + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + Source-routed packets allow the source of the packet to suggest routers +forward the packet along a different path than configured on the router, +which can be used to bypass network security measures. + +Accepting source-routed packets in the IPv4 protocol has few legitimate +uses. It should be disabled unless it is absolutely required, such as when +IPv4 forwarding is enabled and the system is legitimately functioning as a +router. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_default_accept_source_route_value="" + + + +# +# Set runtime for net.ipv4.conf.default.accept_source_route +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value" + +# +# If net.ipv4.conf.default.accept_source_route present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.accept_source_route = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_source_route' "$sysctl_net_ipv4_conf_default_accept_source_route_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_source_route_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_default_accept_source_route_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set + sysctl: + name: net.ipv4.conf.default.accept_source_route + value: '{{ sysctl_net_ipv4_conf_default_accept_source_route_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_source_route + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf + overwrite: true + + + + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 + BP28(R22) + 5.10.1.1 + 3.1.20 + CCI-000366 + CCI-001503 + CCI-001551 + CM-7(a) + CM-7(b) + CM-6(a) + SC-7(a) + DE.CM-1 + PR.DS-4 + PR.IP-1 + PR.PT-3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.05 + DSS05.07 + DSS06.06 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.9.1.2 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 2 + 3 + 7 + 8 + 9 + ICMP redirect messages are used by routers to inform hosts that a more +direct route exists for a particular destination. These messages modify the +host's route table and are unauthenticated. An illicit ICMP redirect +message could result in a man-in-the-middle attack. + +This feature of the IPv4 protocol has few legitimate uses. It should be +disabled unless absolutely required." + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_all_accept_redirects_value="" + + + +# +# Set runtime for net.ipv4.conf.all.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value" + +# +# If net.ipv4.conf.all.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.accept_redirects = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.accept_redirects' "$sysctl_net_ipv4_conf_all_accept_redirects_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_all_accept_redirects_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_all_accept_redirects_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set + sysctl: + name: net.ipv4.conf.all.accept_redirects + value: '{{ sysctl_net_ipv4_conf_all_accept_redirects_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_accept_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf + overwrite: true + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 + BP28(R22) + 5.10.1.1 + 3.1.20 + CCI-000366 + CCI-001551 + CM-7(a) + CM-7(b) + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + ICMP redirect messages are used by routers to inform hosts that a more +direct route exists for a particular destination. These messages modify the +host's route table and are unauthenticated. An illicit ICMP redirect +message could result in a man-in-the-middle attack. +This feature of the IPv4 protocol has few legitimate uses. It should +be disabled unless absolutely required. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_default_accept_redirects_value="" + + + +# +# Set runtime for net.ipv4.conf.default.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value" + +# +# If net.ipv4.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.accept_redirects = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.accept_redirects' "$sysctl_net_ipv4_conf_default_accept_redirects_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_default_accept_redirects_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_default_accept_redirects_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set + sysctl: + name: net.ipv4.conf.default.accept_redirects + value: '{{ sysctl_net_ipv4_conf_default_accept_redirects_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_accept_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf + overwrite: true + + + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535 + BP28(R22) + This setting defines the local port range that is used by TCP and UDP to +choose the local port. The first number is the first, the second the last +local port number. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for net.ipv4.ip_local_port_range +# +/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535" + +# +# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535" +# else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.ip_local_port_range' "32768 65535" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl net.ipv4.ip_local_port_range is set to 32768 65535 + sysctl: + name: net.ipv4.ip_local_port_range + value: 32768 65535 + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_ip_local_port_range + + + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 + BP28(R22) + 3.1.20 + CCI-001551 + CM-7(a) + CM-7(b) + SC-5 + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Accepting "secure" ICMP redirects (from those gateways listed as +default gateways) has few legitimate uses. It should be disabled unless it is +absolutely required. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_default_secure_redirects_value="" + + + +# +# Set runtime for net.ipv4.conf.default.secure_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value" + +# +# If net.ipv4.conf.default.secure_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.default.secure_redirects = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.default.secure_redirects' "$sysctl_net_ipv4_conf_default_secure_redirects_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_default_secure_redirects_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_default_secure_redirects_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set + sysctl: + name: net.ipv4.conf.default.secure_redirects + value: '{{ sysctl_net_ipv4_conf_default_secure_redirects_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_default_secure_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf + overwrite: true + + + + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 + 5.10.1.1 + 3.1.20 + CCI-000366 + CM-7(a) + CM-7(b) + SC-5 + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + Responding to broadcast (ICMP) echoes facilitates network mapping +and provides a vector for amplification attacks. + +Ignoring ICMP echo requests (pings) sent to broadcast or multicast +addresses makes the system slightly more difficult to enumerate on the network. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value="" + + + +# +# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts +# +/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" + +# +# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.icmp_echo_ignore_broadcasts = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.icmp_echo_ignore_broadcasts' "$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value # promote to variable + set_fact: + sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set + sysctl: + name: net.ipv4.icmp_echo_ignore_broadcasts + value: '{{ sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5 + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf + overwrite: true + + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.tcp_syncookies = 1 + BP28(R22) + 5.10.1.1 + 3.1.20 + CCI-000366 + CCI-001095 + CM-7(a) + CM-7(b) + SC-5(1) + SC-5(2) + SC-5(3)(a) + CM-6(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SRG-OS-000420-GPOS-00186 + SRG-OS-000142-GPOS-00071 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 4 + 6 + 7 + 8 + 9 + A TCP SYN flood attack can cause a denial of service by filling a +system's TCP connection table with connections in the SYN_RCVD state. +Syncookies can be used to track a connection when a subsequent ACK is received, +verifying the initiator is attempting a valid connection and is not a flood +source. This feature is activated when a flood condition is detected, and +enables the system to continue servicing valid connection requests. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_tcp_syncookies_value="" + + + +# +# Set runtime for net.ipv4.tcp_syncookies +# +/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value" + +# +# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.tcp_syncookies = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.tcp_syncookies' "$sysctl_net_ipv4_tcp_syncookies_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_tcp_syncookies_value # promote to variable + set_fact: + sysctl_net_ipv4_tcp_syncookies_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.tcp_syncookies is set + sysctl: + name: net.ipv4.tcp_syncookies + value: '{{ sysctl_net_ipv4_tcp_syncookies_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.10.1.1 + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-5(1) + - NIST-800-53-SC-5(2) + - NIST-800-53-SC-5(3)(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_tcp_syncookies + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.tcp_syncookies%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf + overwrite: true + + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 + BP28(R22) + 3.1.20 + CCI-000366 + CCI-001551 + CM-7(a) + CM-7(b) + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.PT-4 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 4 + 6 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Enabling reverse path filtering drops packets with source addresses +that should not have been able to be received on the interface they were +received on. It should not be used on systems which are routers for +complicated networks, but is helpful for end hosts and routers serving small +networks. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_all_rp_filter_value="" + + + +# +# Set runtime for net.ipv4.conf.all.rp_filter +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value" + +# +# If net.ipv4.conf.all.rp_filter present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.rp_filter = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.rp_filter' "$sysctl_net_ipv4_conf_all_rp_filter_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_all_rp_filter_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_all_rp_filter_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.all.rp_filter is set + sysctl: + name: net.ipv4.conf.all.rp_filter + value: '{{ sysctl_net_ipv4_conf_all_rp_filter_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_rp_filter + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.rp_filter%3D1%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf + overwrite: true + + + + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 + BP28(R22) + 3.1.20 + CCI-001503 + CCI-001551 + CM-7(a) + CM-7(b) + CM-6(a) + SC-7(a) + DE.AE-1 + DE.CM-1 + ID.AM-3 + PR.AC-5 + PR.DS-4 + PR.DS-5 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 6.2 + SR 7.1 + SR 7.2 + SR 7.6 + 4.2.3.4 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + APO01.06 + APO13.01 + BAI04.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS01.05 + DSS03.01 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.1.3 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.17.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 4 + 6 + 7 + 8 + 9 + SRG-OS-000480-GPOS-00227 + Accepting "secure" ICMP redirects (from those gateways listed as +default gateways) has few legitimate uses. It should be disabled unless it is +absolutely required. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv4_conf_all_secure_redirects_value="" + + + +# +# Set runtime for net.ipv4.conf.all.secure_redirects +# +/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value" + +# +# If net.ipv4.conf.all.secure_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv4.conf.all.secure_redirects = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv4.conf.all.secure_redirects' "$sysctl_net_ipv4_conf_all_secure_redirects_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv4_conf_all_secure_redirects_value # promote to variable + set_fact: + sysctl_net_ipv4_conf_all_secure_redirects_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set + sysctl: + name: net.ipv4.conf.all.secure_redirects + value: '{{ sysctl_net_ipv4_conf_all_secure_redirects_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-SC-7(a) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv4_conf_all_secure_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf + overwrite: true + + + + + + + + + + + + + IPv6 + The system includes support for Internet Protocol +version 6. A major and often-mentioned improvement over IPv4 is its +enormous increase in the number of available addresses. Another +important feature is its support for automatic configuration of +many network settings. + + Disable Support for IPv6 Unless Needed + Despite configuration that suggests support for IPv6 has +been disabled, link-local IPv6 address auto-configuration occurs +even when only an IPv4 address is assigned. The only way to +effectively prevent execution of the IPv6 networking stack is to +instruct the system not to activate the IPv6 kernel module. + + Disable Interface Usage of IPv6 + To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network: +NETWORKING_IPV6=no +IPV6INIT=no + + + + Disable IPv6 Networking Support Automatic Loading + To prevent the IPv6 kernel module (ipv6) from binding to the +IPv6 networking stack, add the following line to +/etc/modprobe.d/disabled.conf (or another file in +/etc/modprobe.d): +options ipv6 disable=1 +This permits the IPv6 module to be loaded (and thus satisfy other modules that +depend on it), while disabling support for the IPv6 protocol. + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Any unnecessary network stacks - including IPv6 - should be disabled, to reduce +the vulnerability to exploitation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack +echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf + +# Since according to: https://access.redhat.com/solutions/72733 +# "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from +# loading, instruct also sysctl configuration to disable IPv6 according to: +# https://access.redhat.com/solutions/8709#rhel6disable + +declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") + +for setting in "${IPV6_SETTINGS[@]}" +do + # Set runtime =1 for setting + /sbin/sysctl -q -n -w "$setting=1" + + # If setting is present in /etc/sysctl.conf, change value to "1" + # else, add "$setting = 1" to /etc/sysctl.conf + if grep -q ^"$setting" /etc/sysctl.conf ; then + sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf + else + echo "" >> /etc/sysctl.conf + echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf + echo "$setting = 1" >> /etc/sysctl.conf + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable IPv6 Networking kernel module + lineinfile: + create: true + dest: /etc/modprobe.d/ipv6.conf + regexp: ^options\s+ipv6\s+disable=\d + line: options ipv6 disable=1 + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_ipv6_option_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + +- name: Ensure disable_ipv6 (all and default) is set to 1 + sysctl: + name: '{{ item }}' + value: '1' + state: present + reload: true + with_items: + - net.ipv6.conf.all.disable_ipv6 + - net.ipv6.conf.default.disable_ipv6 + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - kernel_module_ipv6_option_disabled + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + To disable support for (ipv6) add the following line to +/etc/sysctl.d/ipv6.conf (or another file in +/etc/sysctl.d): +net.ipv6.conf.all.disable_ipv6 = 1 +This disables IPv6 on all network interfaces as other services and system +functionality require the IPv6 stack loaded to work. + 3.1.20 + CCI-001551 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Any unnecessary network stacks - including IPv6 - should be disabled, to reduce +the vulnerability to exploitation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + + +# +# Set runtime for net.ipv6.conf.all.disable_ipv6 +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1" + +# +# If net.ipv6.conf.all.disable_ipv6 present in /etc/sysctl.conf, change value to "1" +# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.disable_ipv6' "1" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sysctl net.ipv6.conf.all.disable_ipv6 is set to 1 + sysctl: + name: net.ipv6.conf.all.disable_ipv6 + value: '1' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_all_disable_ipv6 + + + + + + + + + + Disable Support for RPC IPv6 + RPC services for NFSv4 try to load transport modules for +udp6 and tcp6 by default, even if IPv6 has been disabled in +/etc/modprobe.d. To prevent RPC services such as rpc.mountd +from attempting to start IPv6 network listeners, remove or comment out the +following two lines in /etc/netconfig: +udp6 tpi_clts v inet6 udp - - +tcp6 tpi_cots_ord v inet6 tcp - - + 3.1.20 + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + PR.IP-1 + PR.PT-3 + + + + + + + Ensure IPv6 is disabled through kernel boot parameter + To disable IPv6 protocol support in the Linux kernel, +add the argument ipv6.disable=1 to the default +GRUB2 command line for the Linux operating system in + +/boot/grub2/grubenv, in the manner below: +sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command: +sudo grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command: + +sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + Any unnecessary network stacks, including IPv6, should be disabled to reduce +the vulnerability to exploitation. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?ipv6.disable=1(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - grub2_ipv6_disable_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: '"grub2-common" in ansible_facts.packages' + tags: + - grub2_ipv6_disable_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} ipv6.disable=1" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - '"grub2-common" in ansible_facts.packages' + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?ipv6.disable=1(?:\s.*)?$', + multiline=True) is none + tags: + - grub2_ipv6_disable_argument + - low_disruption + - low_severity + - medium_complexity + - reboot_required + - restrict_strategy + + + + + + + + + + + Configure IPv6 Settings if Necessary + A major feature of IPv6 is the extent to which systems +implementing it can automatically configure their networking +devices using information from the network. From a security +perspective, manually configuring important configuration +information is preferable to accepting it from the network +in an unauthenticated fashion. + + IPV6_AUTOCONF + Toggle global IPv6 auto-configuration (only, if global +forwarding is disabled) + no + no + yes + + + net.ipv6.conf.all.accept_ra_defrtr + Accept default router in router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.all.accept_ra_pinfo + Accept prefix information in router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.all.accept_ra_rtr_pref + Accept router preference in router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.all.accept_ra + Accept all router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.all.accept_redirects + Toggle ICMP Redirect Acceptance + 0 + 0 + 1 + + + net.ipv6.conf.all.accept_source_route + Trackers could be using source-routed packets to +generate traffic that seems to be intra-net, but actually was +created outside and has been redirected. + 0 + 0 + 1 + + + net.ipv6.conf.all.autoconf + Enable auto configuration on IPv6 interfaces + 0 + 0 + 1 + + + net.ipv6.conf.all.forwarding + Toggle IPv6 Forwarding + 0 + 0 + 1 + + + net.ipv6.conf.all.max_addresses + Maximum number of autoconfigured IPv6 addresses + 1 + + + net.ipv6.conf.all.router_solicitations + Accept all router solicitations? + 0 + 0 + 1 + + + net.ipv6.conf.default.accept_ra_defrtr + Accept default router in router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.default.accept_ra_pinfo + Accept prefix information in router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.default.accept_ra_rtr_pref + Accept router preference in router advertisements? + 0 + 0 + 1 + + + net.ipv6.conf.default.accept_ra + Accept default router advertisements by default? + 0 + 0 + 1 + + + net.ipv6.conf.default.accept_redirects + Toggle ICMP Redirect Acceptance By Default + 0 + 0 + 1 + + + net.ipv6.conf.default.accept_source_route + Trackers could be using source-routed packets to +generate traffic that seems to be intra-net, but actually was +created outside and has been redirected. + 0 + 0 + 1 + + + net.ipv6.conf.default.autoconf + Enable auto configuration on IPv6 interfaces + 0 + 0 + 1 + + + net.ipv6.conf.default.forwarding + Toggle IPv6 default Forwarding + 0 + 0 + 1 + + + net.ipv6.conf.default.max_addresses + Maximum number of autoconfigured IPv6 addresses + 1 + + + net.ipv6.conf.default.router_solicitations + Accept all router solicitations by default? + 0 + 0 + 1 + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.max_addresses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.max_addresses = 1 + BP28(R22) + The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_all_max_addresses_value="" + + + +# +# Set runtime for net.ipv6.conf.all.max_addresses +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value" + +# +# If net.ipv6.conf.all.max_addresses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.max_addresses = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.max_addresses' "$sysctl_net_ipv6_conf_all_max_addresses_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_all_max_addresses_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_all_max_addresses_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.all.max_addresses is set + sysctl: + name: net.ipv6.conf.all.max_addresses + value: '{{ sysctl_net_ipv6_conf_all_max_addresses_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_max_addresses + - unknown_severity + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_rtr_pref=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_rtr_pref = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value="" + + + +# +# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" + +# +# If net.ipv6.conf.all.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra_rtr_pref' "$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.all.accept_ra_rtr_pref is set + sysctl: + name: net.ipv6.conf.all.accept_ra_rtr_pref + value: '{{ sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra_rtr_pref + - unknown_severity + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_pinfo=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_pinfo = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_accept_ra_pinfo_value="" + + + +# +# Set runtime for net.ipv6.conf.default.accept_ra_pinfo +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" + +# +# If net.ipv6.conf.default.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_pinfo = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra_pinfo' "$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_pinfo_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_accept_ra_pinfo_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.accept_ra_pinfo is set + sysctl: + name: net.ipv6.conf.default.accept_ra_pinfo + value: '{{ sysctl_net_ipv6_conf_default_accept_ra_pinfo_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_default_accept_ra_pinfo + - unknown_severity + + + + + + + + + + + Manually Assign IPv6 Router Address + Edit the file +/etc/sysconfig/network-scripts/ifcfg-interface, and add or correct +the following line (substituting your gateway IP as appropriate): +IPV6_DEFAULTGW=2001:0DB8::0001 +Router addresses should be manually set and not accepted via any +auto-configuration or router advertisement. + CCI-000366 + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 + 3.1.20 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + SRG-OS-000480-GPOS-00227 + CCI-000366 + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_accept_ra_value="" + + + +# +# Set runtime for net.ipv6.conf.default.accept_ra +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value" + +# +# If net.ipv6.conf.default.accept_ra present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra' "$sysctl_net_ipv6_conf_default_accept_ra_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_accept_ra_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.accept_ra is set + sysctl: + name: net.ipv6.conf.default.accept_ra + value: '{{ sysctl_net_ipv6_conf_default_accept_ra_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_ra + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_ra%3D0%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf + overwrite: true + + + + + + + + + + + Manually Assign Global IPv6 Address + To manually assign an IP address for an interface, edit the +file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the +following line (substituting the correct IPv6 address): +IPV6ADDR=2001:0DB8::ABCD/64 +Manually assigning an IP address is preferable to accepting one from routers or +from the network otherwise. The example address here is an IPv6 address +reserved for documentation purposes, as defined by RFC3849. + CCI-000366 + 1315 + 1319 + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.router_solicitations=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.router_solicitations = 0 + BP28(R22) + To prevent discovery of the system by other systems, router solicitation requests should be denied. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_router_solicitations_value="" + + + +# +# Set runtime for net.ipv6.conf.default.router_solicitations +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value" + +# +# If net.ipv6.conf.default.router_solicitations present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.router_solicitations = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.router_solicitations' "$sysctl_net_ipv6_conf_default_router_solicitations_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_router_solicitations_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_router_solicitations_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.router_solicitations is set + sysctl: + name: net.ipv6.conf.default.router_solicitations + value: '{{ sysctl_net_ipv6_conf_default_router_solicitations_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_default_router_solicitations + - unknown_severity + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.autoconf=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.autoconf = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_all_autoconf_value="" + + + +# +# Set runtime for net.ipv6.conf.all.autoconf +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.autoconf="$sysctl_net_ipv6_conf_all_autoconf_value" + +# +# If net.ipv6.conf.all.autoconf present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.autoconf = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.autoconf' "$sysctl_net_ipv6_conf_all_autoconf_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_all_autoconf_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_all_autoconf_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.all.autoconf is set + sysctl: + name: net.ipv6.conf.all.autoconf + value: '{{ sysctl_net_ipv6_conf_all_autoconf_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_autoconf + - unknown_severity + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.router_solicitations kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.router_solicitations=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.router_solicitations = 0 + BP28(R22) + To prevent discovery of the system by other systems, router solicitation requests should be denied. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_all_router_solicitations_value="" + + + +# +# Set runtime for net.ipv6.conf.all.router_solicitations +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value" + +# +# If net.ipv6.conf.all.router_solicitations present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.router_solicitations = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.router_solicitations' "$sysctl_net_ipv6_conf_all_router_solicitations_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_all_router_solicitations_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_all_router_solicitations_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.all.router_solicitations is set + sysctl: + name: net.ipv6.conf.all.router_solicitations + value: '{{ sysctl_net_ipv6_conf_all_router_solicitations_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_router_solicitations + - unknown_severity + + + + + + + + + + + Use Privacy Extensions for Address + To introduce randomness into the automatic generation of IPv6 +addresses, add or correct the following line in +/etc/sysconfig/network-scripts/ifcfg-interface: +IPV6_PRIVACY=rfc3041 +Automatically-generated IPv6 addresses are based on the underlying hardware +(e.g. Ethernet) address, and so it becomes possible to track a piece of +hardware over its lifetime using its traffic. If it is important for a system's +IP address to not trivially reveal its hardware address, this setting should be +applied. + 3.1.20 + CCI-000366 + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_defrtr=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_defrtr = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_accept_ra_defrtr_value="" + + + +# +# Set runtime for net.ipv6.conf.default.accept_ra_defrtr +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" + +# +# If net.ipv6.conf.default.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_defrtr = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra_defrtr' "$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_defrtr_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_accept_ra_defrtr_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.accept_ra_defrtr is set + sysctl: + name: net.ipv6.conf.default.accept_ra_defrtr + value: '{{ sysctl_net_ipv6_conf_default_accept_ra_defrtr_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_default_accept_ra_defrtr + - unknown_severity + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_defrtr kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_defrtr=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_defrtr = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_all_accept_ra_defrtr_value="" + + + +# +# Set runtime for net.ipv6.conf.all.accept_ra_defrtr +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" + +# +# If net.ipv6.conf.all.accept_ra_defrtr present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_defrtr = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra_defrtr' "$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_defrtr_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_all_accept_ra_defrtr_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.all.accept_ra_defrtr is set + sysctl: + name: net.ipv6.conf.all.accept_ra_defrtr + value: '{{ sysctl_net_ipv6_conf_all_accept_ra_defrtr_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra_defrtr + - unknown_severity + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.autoconf kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.autoconf=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.autoconf = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_autoconf_value="" + + + +# +# Set runtime for net.ipv6.conf.default.autoconf +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value" + +# +# If net.ipv6.conf.default.autoconf present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.autoconf = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.autoconf' "$sysctl_net_ipv6_conf_default_autoconf_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_autoconf_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_autoconf_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.autoconf is set + sysctl: + name: net.ipv6.conf.default.autoconf + value: '{{ sysctl_net_ipv6_conf_default_autoconf_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_default_autoconf + - unknown_severity + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.accept_ra_rtr_pref kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra_rtr_pref=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra_rtr_pref = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value="" + + + +# +# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" + +# +# If net.ipv6.conf.default.accept_ra_rtr_pref present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_ra_rtr_pref = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_ra_rtr_pref' "$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.accept_ra_rtr_pref is set + sysctl: + name: net.ipv6.conf.default.accept_ra_rtr_pref + value: '{{ sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_default_accept_ra_rtr_pref + - unknown_severity + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.all.accept_ra_pinfo kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra_pinfo = 0 + BP28(R22) + An illicit router advertisement message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_all_accept_ra_pinfo_value="" + + + +# +# Set runtime for net.ipv6.conf.all.accept_ra_pinfo +# +/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" + +# +# If net.ipv6.conf.all.accept_ra_pinfo present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.all.accept_ra_pinfo = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.all.accept_ra_pinfo' "$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_all_accept_ra_pinfo_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_all_accept_ra_pinfo_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.all.accept_ra_pinfo is set + sysctl: + name: net.ipv6.conf.all.accept_ra_pinfo + value: '{{ sysctl_net_ipv6_conf_all_accept_ra_pinfo_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_all_accept_ra_pinfo + - unknown_severity + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + To set the runtime status of the net.ipv6.conf.default.max_addresses kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.max_addresses=1 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.max_addresses = 1 + BP28(R22) + The number of global unicast IPv6 addresses for each interface should be limited exactly to the number of statically configured addresses. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_max_addresses_value="" + + + +# +# Set runtime for net.ipv6.conf.default.max_addresses +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value" + +# +# If net.ipv6.conf.default.max_addresses present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.max_addresses = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.max_addresses' "$sysctl_net_ipv6_conf_default_max_addresses_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_max_addresses_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_max_addresses_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.max_addresses is set + sysctl: + name: net.ipv6.conf.default.max_addresses + value: '{{ sysctl_net_ipv6_conf_default_max_addresses_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - medium_disruption + - reboot_required + - sysctl_net_ipv6_conf_default_max_addresses + - unknown_severity + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 +To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 + BP28(R22) + 3.1.20 + CCI-000366 + CCI-001551 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + SRG-OS-000480-GPOS-00227 + An illicit ICMP redirect message could result in a man-in-the-middle attack. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sysctl_net_ipv6_conf_default_accept_redirects_value="" + + + +# +# Set runtime for net.ipv6.conf.default.accept_redirects +# +/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value" + +# +# If net.ipv6.conf.default.accept_redirects present in /etc/sysctl.conf, change value to appropriate value +# else, add "net.ipv6.conf.default.accept_redirects = value" to /etc/sysctl.conf +# + +replace_or_append '/etc/sysctl.conf' '^net.ipv6.conf.default.accept_redirects' "$sysctl_net_ipv6_conf_default_accept_redirects_value" '' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sysctl_net_ipv6_conf_default_accept_redirects_value # promote to variable + set_fact: + sysctl_net_ipv6_conf_default_accept_redirects_value: !!str + tags: + - always + +- name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set + sysctl: + name: net.ipv6.conf.default.accept_redirects + value: '{{ sysctl_net_ipv6_conf_default_accept_redirects_value }}' + state: present + reload: true + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.20 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - medium_disruption + - medium_severity + - reboot_required + - sysctl_net_ipv6_conf_default_accept_redirects + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A + mode: 0644 + path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf + overwrite: true + + + + + + + + + + + Limit Network-Transmitted Configuration if Using Static IPv6 Addresses + To limit the configuration information requested from other +systems and accepted from the network on a system that uses +statically-configured IPv6 addresses, add the following lines to +/etc/sysctl.conf: +net.ipv6.conf.default.router_solicitations = 0 +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.dad_transmits = 0 +net.ipv6.conf.default.max_addresses = 1 +The router_solicitations setting determines how many router +solicitations are sent when bringing up the interface. If addresses are +statically assigned, there is no need to send any solicitations. + +The accept_ra_pinfo setting controls whether the system will accept +prefix info from the router. + +The accept_ra_defrtr setting controls whether the system will accept +Hop Limit settings from a router advertisement. Setting it to 0 prevents a +router from changing your default IPv6 Hop Limit for outgoing packets. + +The autoconf setting controls whether router advertisements can cause +the system to assign a global unicast address to an interface. + +The dad_transmits setting determines how many neighbor solicitations +to send out per address (global and link-local) when bringing up an interface +to ensure the desired address is unique on the network. + +The max_addresses setting determines how many global unicast IPv6 +addresses can be assigned to each interface. The default is 16, but it should +be set to exactly the number of statically configured global addresses +required. + + + + + + SELinux + SELinux is a feature of the Linux kernel which can be +used to guard against misconfigured or compromised programs. +SELinux enforces the idea that programs should be limited in what +files they can access and what actions they can take. + +The default SELinux policy, as configured on Fedora, has been +sufficiently developed and debugged that it should be usable on +almost any system with minimal configuration and a small +amount of system administrator training. This policy prevents +system services - including most of the common network-visible +services such as mail servers, FTP servers, and DNS servers - from +accessing files which those services have no valid reason to +access. This action alone prevents a huge amount of possible damage +from network attacks against services, from trojaned software, and +so forth. + +This guide recommends that SELinux be enabled using the +default (targeted) policy on every Fedora system, unless that +system has unusual requirements which make a stronger policy +appropriate. + + + SELinux policy + Type of policy in use. Possible values are: +targeted - Only targeted network daemons are protected. +strict - Full SELinux protection. +mls - Multiple levels of security + targeted + mls + targeted + + + SELinux state + enforcing - SELinux security policy is enforced. +permissive - SELinux prints warnings instead of enforcing. +disabled - SELinux is fully disabled. + enforcing + disabled + enforcing + permissive + + + Install libselinux Package + The libselinux package can be installed with the following command: + +$ sudo dnf install libselinux + Security-enhanced Linux is a feature of the Linux kernel and a number of utilities +with enhanced security functionality designed to add mandatory access controls to Linux. + +The libselinux package contains the core library of the Security-enhanced Linux system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "libselinux" ; then + dnf install -y "libselinux" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure libselinux is installed + package: + name: libselinux + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_libselinux_installed + + include install_libselinux + +class install_libselinux { + package { 'libselinux': + ensure => 'installed', + } +} + + +package --add=libselinux + + +[[packages]] +name = "libselinux" +version = "*" + + + + + + + + + + Install policycoreutils Package + The policycoreutils package can be installed with the following command: + +$ sudo dnf install policycoreutils + SRG-OS-000480-GPOS-00227 + CCI-001084 + Security-enhanced Linux is a feature of the Linux kernel and a number of utilities +with enhanced security functionality designed to add mandatory access controls to Linux. +The Security-enhanced Linux kernel contains new architectural components originally +developed to improve security of the Flask operating system. These architectural components +provide general support for the enforcement of many kinds of mandatory access control +policies, including those based on the concepts of Type Enforcement, Role-based Access +Control, and Multi-level Security. + +policycoreutils contains the policy core utilities that are required for +basic operation of an SELinux-enabled system. These utilities include load_policy +to load SELinux policies, setfiles to label filesystems, newrole to +switch roles, and so on. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "policycoreutils" ; then + dnf install -y "policycoreutils" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure policycoreutils is installed + package: + name: policycoreutils + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_policycoreutils_installed + + include install_policycoreutils + +class install_policycoreutils { + package { 'policycoreutils': + ensure => 'installed', + } +} + + +package --add=policycoreutils + + +[[packages]] +name = "policycoreutils" +version = "*" + + + + + + + + + + Uninstall mcstrans Package + The mcstransd daemon provides category label information +to client processes requesting information. The label translations are defined +in /etc/selinux/targeted/setrans.conf. +The mcstrans package can be removed with the following command: + +$ sudo dnf erase mcstrans + Since this service is not used very often, disable it to reduce the +amount of potentially vulnerable code running on the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove mcstrans +# from the system, and may remove any packages +# that depend on mcstrans. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "mcstrans" ; then + dnf remove -y "mcstrans" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure mcstrans is removed + package: + name: mcstrans + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_mcstrans_removed + + include remove_mcstrans + +class remove_mcstrans { + package { 'mcstrans': + ensure => 'purged', + } +} + + +package --remove=mcstrans + + + + + + + Uninstall setroubleshoot-plugins Package + The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors, +unauthorized intrusions, and other potential errors. +The setroubleshoot-plugins package can be removed with the following command: + +$ sudo dnf erase setroubleshoot-plugins + BP28(R68) + The SETroubleshoot service is an unnecessary daemon to +have running on a server. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot-plugins +# from the system, and may remove any packages +# that depend on setroubleshoot-plugins. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot-plugins" ; then + dnf remove -y "setroubleshoot-plugins" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure setroubleshoot-plugins is removed + package: + name: setroubleshoot-plugins + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_setroubleshoot-plugins_removed + + include remove_setroubleshoot-plugins + +class remove_setroubleshoot-plugins { + package { 'setroubleshoot-plugins': + ensure => 'purged', + } +} + + +package --remove=setroubleshoot-plugins + + + + + + + + + + Uninstall setroubleshoot-server Package + The SETroubleshoot service notifies desktop users of SELinux +denials. The service provides information around configuration errors, +unauthorized intrusions, and other potential errors. +The setroubleshoot-server package can be removed with the following command: + +$ sudo dnf erase setroubleshoot-server + BP28(R68) + The SETroubleshoot service is an unnecessary daemon to have +running on a server. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot-server +# from the system, and may remove any packages +# that depend on setroubleshoot-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot-server" ; then + dnf remove -y "setroubleshoot-server" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure setroubleshoot-server is removed + package: + name: setroubleshoot-server + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_setroubleshoot-server_removed + + include remove_setroubleshoot-server + +class remove_setroubleshoot-server { + package { 'setroubleshoot-server': + ensure => 'purged', + } +} + + +package --remove=setroubleshoot-server + + + + + + + + + + Uninstall setroubleshoot Package + The SETroubleshoot service notifies desktop users of SELinux +denials. The service provides information around configuration errors, +unauthorized intrusions, and other potential errors. +The setroubleshoot package can be removed with the following command: + +$ sudo dnf erase setroubleshoot + BP28(R68) + The SETroubleshoot service is an unnecessary daemon to +have running on a server, especially if +X Windows is removed or disabled. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove setroubleshoot +# from the system, and may remove any packages +# that depend on setroubleshoot. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "setroubleshoot" ; then + dnf remove -y "setroubleshoot" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure setroubleshoot is removed + package: + name: setroubleshoot + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_setroubleshoot_removed + + include remove_setroubleshoot + +class remove_setroubleshoot { + package { 'setroubleshoot': + ensure => 'purged', + } +} + + +package --remove=setroubleshoot + + + + + + + Ensure SELinux Not Disabled in /etc/default/grub + SELinux can be disabled at boot time by an argument in +/etc/default/grub. +Remove any instances of selinux=0 from the kernel arguments in that +file to prevent SELinux from being disabled at boot. + 3.1.2 + 3.7.2 + CCI-000022 + CCI-000032 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + AC-3 + AC-3(3)(a) + DE.AE-1 + ID.AM-3 + PR.AC-4 + PR.AC-5 + PR.AC-6 + PR.DS-5 + PR.PT-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000445-VMM-001780 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + 4.4.3.3 + APO01.06 + APO11.04 + APO13.01 + BAI03.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 5 + 6 + 8 + 9 + Disabling a major host protection feature, such as SELinux, at boot time prevents +it from confining system services at boot time. Further, it increases +the chances that it will remain off during system operation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* +sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Find /etc/grub.d/ files + find: + paths: + - /etc/grub.d/ + follow: true + register: grub + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - grub2_enable_selinux + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + +- name: Ensure SELinux Not Disabled in grub files + replace: + dest: '{{ item.path }}' + regexp: (selinux|enforcing)=0 + with_items: + - '{{ grub.files }}' + - path: /etc/grub2.cfg + - path: /etc/default/grub + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - grub2_enable_selinux + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + + + + + + + + + Ensure SELinux State is Enforcing + The SELinux state should be set to at +system boot time. In the file /etc/selinux/config, add or correct the +following line to configure the system to boot into enforcing mode: +SELINUX= + 3.1.2 + 3.7.2 + CCI-002165 + CCI-002696 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + AC-3 + AC-3(3)(a) + AU-9 + SC-7(21) + DE.AE-1 + ID.AM-3 + PR.AC-4 + PR.AC-5 + PR.AC-6 + PR.DS-5 + PR.PT-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000445-GPOS-00199 + SRG-OS-000445-VMM-001780 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + 4.4.3.3 + APO01.06 + APO11.04 + APO13.01 + BAI03.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 5 + 6 + 8 + 9 + BP28(R4) + BP28(R66) + Setting the SELinux state to enforcing ensures SELinux is able to confine +potentially compromised processes to the security policy, which is designed to +prevent them from causing damage to the system or further elevating their +privileges. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_selinux_state="" + + + +if [ -e "/etc/selinux/config" ] ; then + LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUX=$var_selinux_state" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +fixfiles onboot +fixfiles -f relabel + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_selinux_state # promote to variable + set_fact: + var_selinux_state: !!str + tags: + - always + +- name: Ensure SELinux State is Enforcing + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUX= + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUX= + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: true + regexp: ^SELINUX= + line: SELINUX={{ var_selinux_state }} + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - NIST-800-53-AU-9 + - NIST-800-53-SC-7(21) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - selinux_state + + + + + + + + + + + Ensure SELinux Not Disabled in the kernel arguments + SELinux can be disabled at boot time by disabling it via a kernel argument. +Remove any instances of selinux=0 from the kernel arguments in that +file to prevent SELinux from being disabled at boot. + 3.1.2 + 3.7.2 + CCI-000022 + CCI-000032 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + AC-3 + AC-3(3)(a) + DE.AE-1 + ID.AM-3 + PR.AC-4 + PR.AC-5 + PR.AC-6 + PR.DS-5 + PR.PT-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000445-VMM-001780 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + 4.4.3.3 + APO01.06 + APO11.04 + APO13.01 + BAI03.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 5 + 6 + 8 + 9 + Disabling a major host protection feature, such as SELinux, at boot time prevents +it from confining system services at boot time. Further, it increases +the chances that it will remain off during system operation. + + + + + + + + + + Ensure No Daemons are Unconfined by SELinux + Daemons for which the SELinux policy does not contain rules will inherit the +context of the parent process. Because daemons are launched during +startup and descend from the init process, they inherit the unconfined_service_t context. + + +To check for unconfined daemons, run the following command: +$ sudo ps -eZ | grep "unconfined_service_t" +It should produce no output in a well-configured system. + Automatic remediation of this control is not available. Remediation +can be achieved by amending SELinux policy or stopping the unconfined +daemons as outlined above. + 3.1.2 + 3.1.5 + 3.7.2 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + CM-7(a) + CM-7(b) + CM-6(a) + AC-3(3)(a) + AC-6 + PR.AC-4 + PR.DS-5 + PR.IP-1 + PR.PT-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 2.8 + SR 2.9 + SR 5.2 + SR 7.6 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO11.04 + BAI03.05 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.5.1 + A.12.6.2 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 6 + 9 + Daemons which run with the unconfined_service_t context may cause AVC denials, +or allow privileges that the daemon does not require. + + + + + + + + + + Configure SELinux Policy + The SELinux targeted policy is appropriate for +general-purpose desktops and servers, as well as systems in many other roles. +To configure the system to use this policy, add or correct the following line +in /etc/selinux/config: +SELINUXTYPE= +Other policies, such as mls, provide additional security labeling +and greater confinement but are not compatible with many general-purpose +use cases. + BP28(R66) + 3.1.2 + 3.7.2 + CCI-002165 + CCI-002696 + 164.308(a)(1)(ii)(D) + 164.308(a)(3) + 164.308(a)(4) + 164.310(b) + 164.310(c) + 164.312(a) + 164.312(e) + AC-3 + AC-3(3)(a) + AU-9 + SC-7(21) + DE.AE-1 + ID.AM-3 + PR.AC-4 + PR.AC-5 + PR.AC-6 + PR.DS-5 + PR.PT-1 + PR.PT-3 + PR.PT-4 + SRG-OS-000445-GPOS-00199 + SRG-OS-000445-VMM-001780 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 2.8 + SR 2.9 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.2.3.4 + 4.3.3.2.2 + 4.3.3.3.9 + 4.3.3.4 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + 4.4.3.3 + APO01.06 + APO11.04 + APO13.01 + BAI03.05 + DSS01.05 + DSS03.01 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + A.13.1.1 + A.13.1.2 + A.13.1.3 + A.13.2.1 + A.13.2.2 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 4 + 5 + 6 + 8 + 9 + Setting the SELinux policy to targeted or a more specialized policy +ensures the system will confine processes that are likely to be +targeted for exploitation, such as network or system services. + +Note: During the development or debugging of SELinux modules, it is common to +temporarily place non-production systems in permissive mode. In such +temporary cases, SELinux policies should be developed, and once work +is completed, the system should be reconfigured to +. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_selinux_policy_name="" + + + +if [ -e "/etc/selinux/config" ] ; then + LC_ALL=C sed -i "/^SELINUXTYPE=/Id" "/etc/selinux/config" +else + touch "/etc/selinux/config" +fi +cp "/etc/selinux/config" "/etc/selinux/config.bak" +# Insert at the end of the file +printf '%s\n' "SELINUXTYPE=$var_selinux_policy_name" >> "/etc/selinux/config" +# Clean up after ourselves. +rm "/etc/selinux/config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_selinux_policy_name # promote to variable + set_fact: + var_selinux_policy_name: !!str + tags: + - always + +- name: Configure SELinux Policy + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUXTYPE= + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: false + regexp: ^SELINUXTYPE= + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/selinux/config + lineinfile: + path: /etc/selinux/config + create: true + regexp: ^SELINUXTYPE= + line: SELINUXTYPE={{ var_selinux_policy_name }} + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.2 + - NIST-800-171-3.7.2 + - NIST-800-53-AC-3 + - NIST-800-53-AC-3(3)(a) + - NIST-800-53-AU-9 + - NIST-800-53-SC-7(21) + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - selinux_policytype + + + + + + + + + + + Ensure No Device Files are Unlabeled by SELinux + Device files, which are used for communication with important system +resources, should be labeled with proper SELinux types. If any device files +carry the SELinux type device_t or unlabeled_t, report the +bug so that policy can be corrected. Supply information about what the +device is and what programs use it. + +To check for incorrectly labeled device files, run following commands: +$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" +$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" +It should produce no output in a well-configured system. + Automatic remediation of this control is not available. The remediation +can be achieved by amending SELinux policy. + 3.1.2 + 3.1.5 + 3.7.2 + CCI-000022 + CCI-000032 + CCI-000318 + CCI-000366 + CCI-000368 + CCI-001812 + CCI-001813 + CCI-001814 + CM-7(a) + CM-7(b) + CM-6(a) + AC-3(3)(a) + AC-6 + DE.CM-1 + DE.CM-7 + PR.AC-4 + PR.DS-5 + PR.IP-1 + PR.IP-3 + PR.PT-1 + PR.PT-3 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 2.8 + SR 2.9 + SR 5.2 + SR 6.2 + SR 7.6 + 4.3.3.3.9 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO01.06 + APO11.04 + BAI01.06 + BAI03.05 + BAI06.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.03 + DSS03.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.06 + MEA02.01 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.2 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.5.1 + A.12.6.2 + A.12.7.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.14.2.7 + A.15.2.1 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 2 + 3 + 5 + 6 + 7 + 8 + 9 + If a device file carries the SELinux type device_t or +unlabeled_t, then SELinux cannot properly restrict access to the +device file. + + + + + + + + + + SELinux - Booleans + Enable or Disable runtime customization of SELinux system policies +without having to reload or recompile the SELinux policy. + + + abrt_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + abrt_handle_event SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + abrt_upload_watch_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + antivirus_can_scan_system SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + antivirus_use_jit SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + auditadm_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + authlogin_nsswitch_use_ldap SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + authlogin_radius SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + authlogin_yubikey SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + awstats_purge_apache_log_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + boinc_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + cdrecord_read_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cluster_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cluster_manage_all_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cluster_use_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cobbler_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cobbler_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cobbler_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cobbler_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + collectd_tcp_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + condor_tcp_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + conman_can_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + container_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cron_can_relabel SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cron_system_cronjob_use_shares SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cron_userdomain_transition SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + cups_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + cvs_read_shadow SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + daemons_dump_core SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + daemons_enable_cluster_mode SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + daemons_use_tcp_wrapper SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + daemons_use_tty SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + dbadm_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + dbadm_manage_user_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + dbadm_read_user_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + deny_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + deny_ptrace SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + dhcpc_exec_iptables SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + dhcpd_use_ldap SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + domain_fd_use SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + domain_kernel_load_modules SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + entropyd_use_audio SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + exim_can_connect_db SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + exim_manage_user_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + exim_read_user_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + fcron_crond SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + fenced_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + fenced_can_ssh SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + fips_mode SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + ftpd_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_connect_all_unreserved SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_connect_db SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_full_access SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_use_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ftpd_use_passive_mode SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_cgi_enable_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_cgi_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_cgi_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_session_bind_all_unreserved_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_session_users SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_system_enable_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_system_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + git_system_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + gitosis_can_sendmail SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + glance_api_can_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + glance_use_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + glance_use_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + global_ssp SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + gluster_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + gluster_export_all_ro SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + gluster_export_all_rw SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + gpg_web_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + gssd_read_tmp SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + guest_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + haproxy_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_builtin_scripting SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + httpd_can_check_spam SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_connect_ftp SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_connect_ldap SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_connect_mythtv SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_connect_zabbix SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_network_connect_cobbler SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_network_connect_db SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_network_memcache SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_network_relay SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_can_sendmail SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_dbus_avahi SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_dbus_sssd SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_dontaudit_search_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_enable_cgi SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + httpd_enable_ftp_server SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_enable_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_graceful_shutdown SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + httpd_manage_ipa SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_mod_auth_ntlm_winbind SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_mod_auth_pam SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_read_user_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_run_ipa SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_run_preupgrade SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_run_stickshift SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_serve_cobbler_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_setrlimit SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_ssi_exec SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_sys_script_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_tmp_exec SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_tty_comm SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_unified SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_use_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_use_gpg SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_use_openstack SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_use_sasl SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + httpd_verify_dns SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + icecast_use_any_tcp_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + irc_use_any_tcp_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + irssi_use_full_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + kdumpgui_run_bootloader SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + kerberos_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + ksmtuned_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ksmtuned_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + logadm_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + logging_syslogd_can_sendmail SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + logging_syslogd_run_nagios_plugins SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + logging_syslogd_use_tty SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + login_console_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + logrotate_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + logwatch_can_network_connect_mail SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + lsmd_plugin_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mailman_use_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mcelog_client SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mcelog_exec_scripts SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + mcelog_foreground SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mcelog_server SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + minidlna_read_generic_user_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mmap_low_allowed SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mock_enable_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mount_anyfile SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + mozilla_plugin_bind_unreserved_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mozilla_plugin_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mozilla_plugin_use_bluejeans SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mozilla_plugin_use_gps SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mozilla_plugin_use_spice SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mozilla_read_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mpd_enable_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mpd_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mpd_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mplayer_execstack SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + mysql_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + nagios_run_pnp4nagios SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + nagios_run_sudo SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + named_tcp_bind_http_port SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + named_write_master_zones SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + neutron_can_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + nfs_export_all_ro SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + nfs_export_all_rw SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + nfsd_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + nis_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + nscd_use_shm SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + openshift_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + openvpn_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + openvpn_enable_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + openvpn_run_unconfined SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + pcp_bind_all_unreserved_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + pcp_read_generic_logs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + piranha_lvs_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + polipo_connect_all_unreserved SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + polipo_session_bind_all_unreserved_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + polipo_session_users SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + polipo_use_cifs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + polipo_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + polyinstantiation_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + postfix_local_write_mail_spool SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + postgresql_can_rsync SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + postgresql_selinux_transmit_client_label SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + postgresql_selinux_unconfined_dbadm SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + postgresql_selinux_users_ddl SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + pppd_can_insmod SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + pppd_for_user SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + privoxy_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + prosody_bind_http_port SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + puppetagent_manage_all_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + puppetmaster_use_db SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + racoon_read_shadow SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + rsync_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + rsync_client SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + rsync_export_all_ro SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + rsync_full_access SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_create_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_domain_controller SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_enable_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_export_all_ro SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_export_all_rw SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_load_libgfapi SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_portmapper SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_run_unconfined SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_share_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + samba_share_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + sanlock_use_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + sanlock_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + sanlock_use_samba SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + saslauthd_read_shadow SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + secadm_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + secure_mode SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + secure_mode_insmod SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + secure_mode_policyload SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_direct_dri_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + selinuxuser_execheap SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_execmod SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + selinuxuser_execstack SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_mysql_connect_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_ping SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + selinuxuser_postgresql_connect_enabled SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_rw_noexattrfile SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + selinuxuser_share_music SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_tcp_server SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_udp_server SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + selinuxuser_use_ssh_chroot SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + sge_domain_can_network_connect SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + sge_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + smartmon_3ware SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + smbd_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + spamassassin_can_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + spamd_enable_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + squid_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + squid_use_tproxy SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ssh_chroot_rw_homedirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ssh_keysign SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + ssh_sysadm_login SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + staff_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + staff_use_svirt SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + swift_can_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + sysadm_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + telepathy_connect_all_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + telepathy_tcp_connect_generic_network_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + tftp_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + tftp_home_dir SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + tmpreaper_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + tmpreaper_use_samba SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + tor_bind_all_unreserved_ports SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + tor_can_network_relay SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + unconfined_chrome_sandbox_transition SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + unconfined_login SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + unconfined_mozilla_plugin_transition SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + unprivuser_use_svirt SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + use_ecryptfs_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + use_fusefs_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + use_lpd_server SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + use_nfs_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + use_samba_home_dirs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + user_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + varnishd_connect_any SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_read_qemu_ga_data SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_rw_qemu_ga_data SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_sandbox_use_all_caps SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + virt_sandbox_use_audit SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + virt_sandbox_use_mknod SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_sandbox_use_netlink SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_sandbox_use_sys_admin SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_transition_userdomain SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_comm SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_fusefs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_rawip SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_samba SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_sanlock SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + virt_use_usb SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + virt_use_xserver SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + webadm_manage_user_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + webadm_read_user_files SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + wine_mmap_zero_ignore SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xdm_bind_vnc_tcp_port SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xdm_exec_bootloader SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xdm_sysadm_login SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xdm_write_home SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xen_use_nfs SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xend_run_blktap SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + xend_run_qemu SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + xguest_connect_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + xguest_exec_content SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + xguest_mount_media SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + xguest_use_bluetooth SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + true + false + true + + + xserver_clients_write_xshm SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xserver_execmem SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + xserver_object_manager SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + zabbix_can_network SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + zarafa_setrlimit SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + zebra_write_config SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + zoneminder_anon_write SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + zoneminder_run_sudo SELinux Boolean + default - Default SELinux boolean setting. +on - SELinux boolean is enabled. +off - SELinux boolean is disabled. + false + false + true + + + + + Protect Random-Number Entropy Pool + The I/O operations of the Linux kernel block layer due to their inherently +unpredictable execution times have been traditionally considered as a reliable +source to contribute to random-number entropy pool of the Linux kernel. This +has changed with introduction of solid-state storage devices (SSDs) though. + + + Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool + For each solid-state drive on the system, run: + # echo 0 > /sys/block/DRIVE/queue/add_random + In contrast to traditional electromechanical magnetic disks, containing +spinning disks and / or movable read / write heads, the solid-state storage +devices (SSDs) do not contain moving / mechanical components. Therefore the +I/O operation completion times are much more predictable for them. + + + + + GRUB2 bootloader configuration + During the boot process, the boot loader is +responsible for starting the execution of the kernel and passing +options to it. The boot loader allows for the selection of +different kernels - possibly on different partitions or media. +The default Fedora boot loader for x86 systems is called GRUB2. +Options it can pass to the kernel include single-user mode, which +provides root access without any authentication, and the ability to +disable SELinux. To prevent local users from modifying the boot +parameters and endangering security, protect the boot loader configuration +with a password and ensure its configuration file's permissions +are set properly. + + + IOMMU configuration directive + On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some + of the system critical units such as the memory. + Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems. + BP28(R11) + On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by + hardware devices. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?iommu=force(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - grub2_enable_iommu_force + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy + - unknown_severity + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - grub2_enable_iommu_force + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy + - unknown_severity + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} iommu=force" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?iommu=force(?:\s.*)?$', + multiline=True) is none + tags: + - grub2_enable_iommu_force + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy + - unknown_severity + + + + + + + Disable vsyscalls + To disable use of virtual syscalls, +add the argument vsyscall=none to the default +GRUB 2 command line for the Linux operating system in +/etc/default/grub, in the manner below: +GRUB_CMDLINE_LINUX="vsyscall=none" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command as root: +~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: + +~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + SRG-OS-000480-GPOS-00227 + SRG-OS-000134-GPOS-00068 + CM-7(a) + CCI-001084 + Virtual Syscalls provide an opportunity of attack for a user who has control +of the return instruction pointer. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?vsyscall=none(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) vsyscall=none" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-7(a) + - grub2_vsyscall_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-7(a) + - grub2_vsyscall_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} vsyscall=none" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?vsyscall=none(?:\s.*)?$', + multiline=True) is none + tags: + - NIST-800-53-CM-7(a) + - grub2_vsyscall_argument + - low_disruption + - medium_complexity + - medium_severity + - reboot_required + - restrict_strategy + + + + + + + + + + Enable Kernel Page-Table Isolation (KPTI) + To enable Kernel page-table isolation, +add the argument pti=on to the default +GRUB 2 command line for the Linux operating system in +/etc/default/grub, in the manner below: +GRUB_CMDLINE_LINUX="pti=on" + The GRUB 2 configuration file, grub.cfg, +is automatically updated each time a new kernel is installed. Note that any +changes to /etc/default/grub require rebuilding the grub.cfg +file. To update the GRUB 2 configuration file manually, use the +grub2-mkconfig -o command as follows: +On BIOS-based machines, issue the following command as root: +~]# grub2-mkconfig -o /boot/grub2/grub.cfgOn UEFI-based machines, issue the following command as root: + +~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg + SRG-OS-000433-GPOS-00193 + SRG-OS-000095-GPOS-00049 + SI-16 + CCI-000381 + Kernel page-table isolation is a kernel feature that mitigates +the Meltdown security vulnerability and hardens the kernel +against attempts to bypass kernel address space layout +randomization (KASLR). + + # Remediation is applicable only in certain platforms +if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +# Correct grub2 kernelopts value using grub2-editenv +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?pti=on(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-SI-16 + - grub2_pti_argument + - high_severity + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy + +- name: get current kernel parameters + command: /usr/bin/grub2-editenv - list + register: kernelopts + changed_when: false + when: + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-SI-16 + - grub2_pti_argument + - high_severity + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy + +- name: Update the bootloader menu + command: /usr/bin/grub2-editenv - set "{{ item }} pti=on" + with_items: '{{ kernelopts.stdout_lines | select(''match'', ''^kernelopts.*'') | + list }}' + when: + - '"grub2-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - kernelopts.stdout_lines is defined + - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?pti=on(?:\s.*)?$', multiline=True) + is none + tags: + - NIST-800-53-SI-16 + - grub2_pti_argument + - high_severity + - low_disruption + - medium_complexity + - reboot_required + - restrict_strategy + + + + + + + + + + UEFI GRUB2 bootloader configuration + UEFI GRUB2 bootloader configuration + + + Verify the UEFI Boot Loader grub.cfg Permissions + File permissions for /boot/efi/EFI/fedora/grub.cfg should be set to 700. + +To properly set the permissions of /boot/efi/EFI/fedora/grub.cfg, run the command: +$ sudo chmod 700 /boot/efi/EFI/fedora/grub.cfg + 3.4.5 + CCI-000225 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Proper permissions ensure that only the root user can modify important boot +parameters. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod 0700 /boot/efi/EFI/fedora/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Test for existence /boot/efi/EFI/fedora/grub.cfg + stat: + path: /boot/efi/EFI/fedora/grub.cfg + register: file_exists + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_efi_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0700 on /boot/efi/EFI/fedora/grub.cfg + file: + path: /boot/efi/EFI/fedora/grub.cfg + mode: '0700' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists + tags: + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_efi_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Set the UEFI Boot Loader Password + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings. + +Since plaintext passwords are a security risk, generate a hash for the password +by running the following command: + +$ grub2-setpassword + +When prompted, enter the password that was selected. + + +Once the superuser password has been added, +update the +grub.cfg file by running: + +grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg + To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation +must be automated as a component of machine provisioning, or followed manually as outlined above. + +Also, do NOT manually add the superuser account and password to the +grub.cfg file as the grub2-mkconfig command overwrites this file. + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000080-GPOS-00048 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R17) + Password protection on the boot loader configuration ensures +users with physical access cannot trivially alter +important bootloader settings. These include which kernel to use, +and whether to enter single-user mode. + + + + + + + + + + Verify the UEFI Boot Loader grub.cfg User Ownership + The file /boot/efi/EFI/fedora/grub.cfg should +be owned by the root user to prevent destruction +or modification of the file. + +To properly set the owner of /boot/efi/EFI/fedora/grub.cfg, run the command: +$ sudo chown root /boot/efi/EFI/fedora/grub.cfg + 5.5.2.2 + 3.4.5 + CCI-000225 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-7.1 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Only root should be able to modify important boot parameters. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /boot/efi/EFI/fedora/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Test for existence /boot/efi/EFI/fedora/grub.cfg + stat: + path: /boot/efi/EFI/fedora/grub.cfg + register: file_exists + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_owner_efi_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /boot/efi/EFI/fedora/grub.cfg + file: + path: /boot/efi/EFI/fedora/grub.cfg + owner: '0' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_owner_efi_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Set the UEFI Boot Loader Admin Username to a Non-Default Value + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings. + +To maximize the protection, select a password-protected superuser account with unique name, and modify the +/etc/grub.d/01_users configuration file to reflect the account name change. + +It is highly suggested not to use common administrator account names like root, +admin, or administrator for the grub2 superuser account. + +Change the superuser to a different username (The default is 'root'). +$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users + +Once the superuser account has been added, +update the +grub.cfg file by running: +grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg + To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation +must be automated as a component of machine provisioning, or followed manually as outlined above. + +Also, do NOT manually add the superuser account and password to the +grub.cfg file as the grub2-mkconfig command overwrites this file. + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000080-GPOS-00048 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R17) + Having a non-default grub superuser username makes password-guessing attacks less effective. + + + + + + + + + + Verify the UEFI Boot Loader grub.cfg Group Ownership + The file /boot/efi/EFI/fedora/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of /boot/efi/EFI/fedora/grub.cfg, run the command: +$ sudo chgrp root /boot/efi/EFI/fedora/grub.cfg + 5.5.2.2 + 3.4.5 + CCI-000225 + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-7.1 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /boot/efi/EFI/fedora/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Test for existence /boot/efi/EFI/fedora/grub.cfg + stat: + path: /boot/efi/EFI/fedora/grub.cfg + register: file_exists + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_groupowner_efi_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /boot/efi/EFI/fedora/grub.cfg + file: + path: /boot/efi/EFI/fedora/grub.cfg + group: '0' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_groupowner_efi_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Non-UEFI GRUB2 bootloader configuration + Non-UEFI GRUB2 bootloader configuration + + + Set Boot Loader Password in grub2 + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings. + +Since plaintext passwords are a security risk, generate a hash for the password +by running the following command: + +$ grub2-setpassword + +When prompted, enter the password that was selected. + + + +Once the superuser password has been added, +update the +grub.cfg file by running: +grub2-mkconfig -o /boot/grub2/grub.cfg + To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation +must be automated as a component of machine provisioning, or followed manually as outlined above. + +Also, do NOT manually add the superuser account and password to the +grub.cfg file as the grub2-mkconfig command overwrites this file. + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000080-GPOS-00048 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.06 + DSS06.10 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R17) + Password protection on the boot loader configuration ensures +users with physical access cannot trivially alter +important bootloader settings. These include which kernel to use, +and whether to enter single-user mode. + + + + + + + + + + Verify /boot/grub2/grub.cfg Group Ownership + The file /boot/grub2/grub.cfg should +be group-owned by the root group to prevent +destruction or modification of the file. + +To properly set the group owner of {{{ grub2_boot_path }}}/grub.cfg, run the command: +$ sudo chgrp root {{{ grub2_boot_path }}}/grub.cfg + 5.5.2.2 + 3.4.5 + CCI-000225 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-7.1 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + The root group is a highly-privileged group. Furthermore, the group-owner of this +file should not have any access privileges anyway. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chgrp 0 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_groupowner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure group owner 0 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + group: '0' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_groupowner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify /boot/grub2/grub.cfg User Ownership + The file /boot/grub2/grub.cfg should +be owned by the root user to prevent destruction +or modification of the file. + +To properly set the owner of {{{ grub2_boot_path }}}/grub.cfg, run the command: +$ sudo chown root {{{ grub2_boot_path }}}/grub.cfg + 5.5.2.2 + 3.4.5 + CCI-000225 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + Req-7.1 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Only root should be able to modify important boot parameters. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chown 0 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_owner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure owner 0 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + owner: '0' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists + tags: + - CJIS-5.5.2.2 + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-7.1 + - configure_strategy + - file_owner_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Verify /boot/grub2/grub.cfg Permissions + File permissions for /boot/grub2/grub.cfg should be set to 600. + +To properly set the permissions of {{{ grub2_boot_path }}}/grub.cfg, run the command: +$ sudo chmod 600 {{{ grub2_boot_path }}}/grub.cfg + 3.4.5 + CCI-000225 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + Proper permissions ensure that only the root user can modify important boot +parameters. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +chmod 0600 /boot/grub2/grub.cfg + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Test for existence /boot/grub2/grub.cfg + stat: + path: /boot/grub2/grub.cfg + register: file_exists + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Ensure permission 0600 on /boot/grub2/grub.cfg + file: + path: /boot/grub2/grub.cfg + mode: '0600' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - file_exists.stat is defined and file_exists.stat.exists + tags: + - NIST-800-171-3.4.5 + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_grub2_cfg + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Set the Boot Loader Admin Username to a Non-Default Value + The grub2 boot loader should have a superuser account and password +protection enabled to protect boot-time settings. + +To maximize the protection, select a password-protected superuser account with unique name, and modify the +/etc/grub.d/01_users configuration file to reflect the account name change. + +Do not to use common administrator account names like root, +admin, or administrator for the grub2 superuser account. + +Change the superuser to a different username (The default is 'root'). +$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users + +Once the superuser account has been added, +update the +grub.cfg file by running: +grub2-mkconfig -o /boot/grub2/grub.cfg + To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation +must be automated as a component of machine provisioning, or followed manually as outlined above. + +Also, do NOT manually add the superuser account and password to the +grub.cfg file as the grub2-mkconfig command overwrites this file. + 3.4.5 + CCI-000213 + 164.308(a)(1)(ii)(B) + 164.308(a)(7)(i) + 164.308(a)(7)(ii)(A) + 164.310(a)(1) + 164.310(a)(2)(i) + 164.310(a)(2)(ii) + 164.310(a)(2)(iii) + 164.310(b) + 164.310(c) + 164.310(d)(1) + 164.310(d)(2)(iii) + CM-6(a) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000080-GPOS-00048 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.06 + DSS06.10 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R17) + Having a non-default grub superuser username makes password-guessing attacks less effective. + + + + + + + + + + + + zIPL bootloader configuration + During the boot process, the bootloader is +responsible for starting the execution of the kernel and passing +options to it. +The default Fedora boot loader for s390x systems is called zIPL. + + + + + Services + The best protection against vulnerable software is running less software. This section describes how to review +the software which Fedora installs on a system and disable software which is not needed. It +then enumerates the software packages installed on a default Fedora system and provides guidance about which +ones can be safely disabled. + +Fedora provides a convenient minimal install option that essentially installs the bare necessities for a functional +system. When building Fedora systems, it is highly recommended to select the minimal packages and then build up +the system from there. + + Cron and At Daemons + The cron and at services are used to allow commands to +be executed at a later time. The cron service is required by almost +all systems to perform necessary maintenance tasks, while at may or +may not be required on a given system. Both daemons should be +configured defensively. + + + Install the cron service + The Cron service should be installed. + BP28(R50) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + PR.IP-1 + PR.PT-3 + The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "cron" ; then + dnf install -y "cron" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure cron is installed + package: + name: cron + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_cron_installed + + include install_cron + +class install_cron { + package { 'cron': + ensure => 'installed', + } +} + + +package --add=cron + + +[[packages]] +name = "cron" +version = "*" + + + + + + + Enable cron Service + The crond service is used to execute commands at +preconfigured times. It is required by almost all systems to perform necessary +maintenance tasks, such as notifying root of system activity. + +The cron service can be enabled with the following command: +$ sudo systemctl enable cron.service + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Due to its usage for maintenance and security-supporting tasks, +enabling the cron daemon is essential. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'cron.service' +"$SYSTEMCTL_EXEC" start 'cron.service' +"$SYSTEMCTL_EXEC" enable 'cron.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service cron + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service cron + service: + name: cron + enabled: 'yes' + state: started + masked: 'no' + when: + - '"cron" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_cron_enabled + + include enable_cron + +class enable_cron { + service {'cron': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Enable cron Service + The crond service is used to execute commands at +preconfigured times. It is required by almost all systems to perform necessary +maintenance tasks, such as notifying root of system activity. + +The crond service can be enabled with the following command: +$ sudo systemctl enable crond.service + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Due to its usage for maintenance and security-supporting tasks, +enabling the cron daemon is essential. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'crond.service' +"$SYSTEMCTL_EXEC" start 'crond.service' +"$SYSTEMCTL_EXEC" enable 'crond.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service crond + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service crond + service: + name: crond + enabled: 'yes' + state: started + masked: 'no' + when: + - '"cronie" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_crond_enabled + + include enable_crond + +class enable_crond { + service {'crond': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Disable At Service (atd) + The at and batch commands can be used to +schedule tasks that are meant to be executed only once. This allows delayed +execution in a manner similar to cron, except that it is not +recurring. The daemon atd keeps track of tasks scheduled via +at and batch, and executes them at the specified time. + +The atd service can be disabled with the following command: +$ sudo systemctl mask --now atd.service + CCI-000381 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + The atd service could be used by an unsophisticated insider to carry +out activities outside of a normal login session, which could complicate +accountability. Furthermore, the need to schedule tasks with at or +batch is not common. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'atd.service' +"$SYSTEMCTL_EXEC" disable 'atd.service' +"$SYSTEMCTL_EXEC" mask 'atd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^atd.socket'; then + "$SYSTEMCTL_EXEC" stop 'atd.socket' + "$SYSTEMCTL_EXEC" mask 'atd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'atd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service atd + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service atd + systemd: + name: atd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"atd.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_atd_disabled + +- name: Unit Socket Exists - atd.socket + command: systemctl list-unit-files atd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_atd_disabled + +- name: Disable socket atd + systemd: + name: atd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"atd.socket" in socket_file_exists.stdout_lines[1]' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_atd_disabled + + include disable_atd + +class disable_atd { + service {'atd': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: atd.service + enabled: false + mask: true + - name: atd.socket + enabled: false + mask: true + + + + + + + + + + Disable anacron Service + The cronie-anacron package, which provides anacron +functionality, is installed by default. +The cronie-anacron package can be removed with the following command: + +$ sudo dnf erase cronie-anacron + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + The anacron service provides cron functionality for systems +such as laptops and workstations that may be shut down during the normal times +that cron jobs are scheduled to run. On systems which do not require this +additional functionality, anacron could needlessly increase the possible +attack surface for an intruder. + + + + + + + Restrict at and cron to Authorized Users if Necessary + The /etc/cron.allow and /etc/at.allow files contain lists of +users who are allowed to use cron and at to delay execution of +processes. If these files exist and if the corresponding files +/etc/cron.deny and /etc/at.deny do not exist, then only users +listed in the relevant allow files can run the crontab and at commands +to submit jobs to be run at scheduled intervals. On many systems, only the +system administrator needs the ability to schedule jobs. Note that even if a +given user is not listed in cron.allow, cron jobs can still be run as +that user. The cron.allow file controls only administrative access +to the crontab command for scheduling and modifying cron jobs. + + +To restrict at and cron to only authorized users: +Remove the cron.deny file:$ sudo rm /etc/cron.denyEdit /etc/cron.allow, adding one line for each user allowed to use +the crontab command to create cron jobs.Remove the at.deny file:$ sudo rm /etc/at.denyEdit /etc/at.allow, adding one line for each user allowed to use +the at command to create at jobs. + + + + + Mail Server Software + Mail servers are used to send and receive email over the network. +Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious +targets of network attack. +Ensure that systems are not running MTAs unnecessarily, +and configure needed MTAs as defensively as possible. + +Very few systems at any site should be configured to directly receive email over the +network. Users should instead use mail client programs to retrieve email +from a central server that supports protocols such as IMAP or POP3. +However, it is normal for most systems to be independently capable of sending email, +for instance so that cron jobs can report output to an administrator. +Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from +the local system to a central site MTA (or directly delivered to a local account), +but the system still cannot receive mail directly over a network. + +The alternatives program in Fedora permits selection of other mail server software +(such as Sendmail), but Postfix is the default and is preferred. +Postfix was coded with security in mind and can also be more effectively contained by +SELinux as its modular design has resulted in separate processes performing specific actions. +More information is available on its website, + http://www.postfix.org. + + + Uninstall Sendmail Package + Sendmail is not the default mail transfer agent and is +not installed by default. +The sendmail package can be removed with the following command: + +$ sudo dnf erase sendmail + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + BP28(R1) + SRG-OS-000480-GPOS-00227 + SRG-OS-000095-GPOS-00049 + CCI-000381 + The sendmail software was not developed with security in mind and +its design prevents it from being effectively contained by SELinux. Postfix +should be used instead. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove sendmail +# from the system, and may remove any packages +# that depend on sendmail. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "sendmail" ; then + dnf remove -y "sendmail" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure sendmail is removed + package: + name: sendmail + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_sendmail_removed + + include remove_sendmail + +class remove_sendmail { + package { 'sendmail': + ensure => 'purged', + } +} + + +package --remove=sendmail + + + + + + + + + + Configure SMTP For Mail Clients + This section discusses settings for Postfix in a submission-only +e-mail configuration. + + + Postfix Network Interfaces + The setting for inet_interfaces in /etc/postfix/main.cf + loopback-only + loopback-only + localhost + + + Postfix relayhost + Specify the host all outbound email should be routed into. + smtp.$mydomain + + + Postfix Root Mail Alias + Specify an email address (string) for a root mail alias. + system.administrator@mail.mil + + + Configure System to Forward All Mail For The Root Account + Make sure that mails delivered to root user are forwarded to a monitored +email address. Make sure that the address + is a valid email address +reachable from the system in question. Use the following command to +configure the alias: +$ sudo echo "root: " >> /etc/aliases +$ sudo newaliases + CCI-000139 + CCI-000366 + CM-6(a) + SRG-OS-000046-GPOS-00022 + BP28(R49) + A number of system services utilize email messages sent to the root user to +notify system administrators of active or impending issues. These messages must +be forwarded to at least one monitored email address. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_postfix_root_mail_alias="" + +replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '' '%s: %s' + +newaliases + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_postfix_root_mail_alias # promote to variable + set_fact: + var_postfix_root_mail_alias: !!str + tags: + - always + +- name: Make sure that that "/etc/aliases" has a defined value for root + lineinfile: + path: /etc/aliases + line: 'root: {{ var_postfix_root_mail_alias }}' + regexp: ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ + create: true + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - configure_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - postfix_client_configure_mail_alias + + + + + + + + + + + Configure System to Forward All Mail through a specific host + Set up a relay host that will act as a gateway for all outbound email. +Edit the file /etc/postfix/main.cf to ensure that only the following +relayhost line appears: +relayhost = + A central outbound email location ensures messages sent from any network host +can be audited for potential unexpected content. Tooling on the central server +may help prevent spam or viruses from being delivered. + + + + + + + + Configure Operating System to Protect Mail Server + The guidance in this section is appropriate for any host which is +operating as a site MTA, whether the mail server runs using Sendmail, Postfix, +or some other software. + + + Configure SSL Certificates for Use with SMTP AUTH + If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. +There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, +though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing +an SSL certificate are independent of the MTA in use, and are described here. + + + Ensure Security of Postfix SSL Certificate + Create the PKI directory for mail certificates, if it does not already exist: +$ sudo mkdir /etc/pki/tls/mail +$ sudo chown root:root /etc/pki/tls/mail +$ sudo chmod 755 /etc/pki/tls/mail +Using removable media or some other secure transmission format, install the files generated in the previous +step onto the mail server: +/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem +/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem +Verify the ownership and permissions of these files: +$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem +$ sudo chown root:root /etc/pki/tls/mail/servercert.pem +$ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem +$ sudo chmod 644 /etc/pki/tls/mail/servercert.pem +Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the +correct permissions: +$ sudo chown root:root /etc/pki/tls/CA/cacert.pem +$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem + + + + + Configure Postfix if Necessary + Postfix stores its configuration files in the directory +/etc/postfix by default. The primary configuration file is +/etc/postfix/main.cf. + + + Control Mail Relaying + Postfix's mail relay controls are implemented with the help of the +smtpd recipient restrictions option, which controls the restrictions placed on +the SMTP dialogue once the sender and recipient envelope addresses are known. +The guidance in the following sections should be applied to all systems. If +there are systems which must be allowed to relay mail, but which cannot be +trusted to relay unconditionally, configure SMTP AUTH with SSL support. + + + Require SMTP AUTH Before Relaying from Untrusted Clients + SMTP authentication allows remote clients to relay mail safely by +requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses +an authentication library called SASL, which is not part of Postfix itself. To +enable the use of SASL authentication, see + + http://www.postfix.org/SASL_README.html + + + + Enact SMTP Recipient Restrictions + To configure Postfix to restrict addresses to which it +will send mail, see: + + http://www.postfix.org/SMTPD_ACCESS_README.html#danger + +The full contents of smtpd_recipient_restrictions will +vary by site, since this is a common place to put spam restrictions and other +site-specific options. The permit_mynetworks option allows all mail to +be relayed from the systems in mynetworks. Then, the +reject_unauth_destination option denies all mail whose destination +address is not local, preventing any other systems from relaying. These two +options should always appear in this order, and should usually follow one +another immediately unless SMTP AUTH is used. + + + + Configure Trusted Networks and Hosts + Edit /etc/postfix/main.cf, and configure the contents of +the mynetworks variable in one of the following ways: +If any system in the subnet containing the MTA may be trusted to relay +messages, add or correct the following line: +mynetworks_style = subnet +This is also the default setting, and is in effect if all +my_networks_style directives are commented.If only the MTA host itself is trusted to relay messages, add or correct +the following line: +mynetworks_style = hostIf the set of systems which can relay is more complicated, manually +specify an entry for each netblock or IP address which is trusted to relay by +setting the mynetworks variable directly: +mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1 + + + + Use TLS for SMTP AUTH + Postfix provides options to use TLS for certificate-based +authentication and encrypted sessions. An encrypted session protects the +information that is transmitted with SMTP mail or with SASL authentication. +To configure Postfix to protect all SMTP AUTH transactions +using TLS, see + http://www.postfix.org/TLS_README.html. + + + + Enact SMTP Relay Restrictions + To configure Postfix to restrict addresses to which it +will send mail, see: + + http://www.postfix.org/SMTPD_ACCESS_README.html#danger + +The full contents of smtpd_recipient_restrictions will +vary by site, since this is a common place to put spam restrictions and other +site-specific options. The permit_mynetworks option allows all mail to +be relayed from the systems in mynetworks. Then, the +reject_unauth_destination option denies all mail whose destination +address is not local, preventing any other systems from relaying. These two +options should always appear in this order, and should usually follow one +another immediately unless SMTP AUTH is used. + + + + + Configure Postfix Resource Usage to Limit Denial of Service Attacks + Edit /etc/postfix/main.cf. Edit the following lines to +configure the amount of system resources Postfix can consume: +default_process_limit = 100 +smtpd_client_connection_count_limit = 10 +smtpd_client_connection_rate_limit = 30 +queue_minfree = 20971520 +header_size_limit = 51200 +message_size_limit = 10485760 +smtpd_recipient_limit = 100 +The values here are examples. + Note: The values given here are examples, and may +need to be modified for any particular site. By default, the Postfix anvil +process gathers mail receipt statistics. To get information about about what +connection rates are typical at your site, look in /var/log/maillog +for lines with the daemon name postfix/anvil. + + + + + + + SNMP Server + The Simple Network Management Protocol allows +administrators to monitor the state of network devices, including +computers. Older versions of SNMP were well-known for weak +security, such as plaintext transmission of the community string +(used for authentication) and usage of easily-guessable +choices for the community string. + + Disable SNMP Server if Possible + The system includes an SNMP daemon that allows for its remote +monitoring, though it not installed by default. If it was installed and +activated but is not needed, the software should be disabled and removed. + + Uninstall net-snmp Package + The net-snmp package provides the snmpd service. +The net-snmp package can be removed with the following command: + +$ sudo dnf erase net-snmp + If there is no need to run SNMP server software, +removing the package provides a safeguard against its +activation. + +# CAUTION: This remediation script will remove net-snmp +# from the system, and may remove any packages +# that depend on net-snmp. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "net-snmp" ; then + dnf remove -y "net-snmp" +fi + + - name: Ensure net-snmp is removed + package: + name: net-snmp + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - package_net-snmp_removed + - unknown_severity + + include remove_net-snmp + +class remove_net-snmp { + package { 'net-snmp': + ensure => 'purged', + } +} + + +package --remove=net-snmp + + + + + + + + + + + Configure SNMP Server if Necessary + If it is necessary to run the snmpd agent on the system, some best +practices should be followed to minimize the security risk from the +installation. The multiple security models implemented by SNMP cannot be fully +covered here so only the following general configuration advice can be offered: +use only SNMP version 3 security models and enable the use of authentication and encryptionwrite access to the MIB (Management Information Base) should be allowed only if necessaryall access to the MIB should be restricted following a principle of least privilegenetwork access should be limited to the maximum extent possible including restricting to expected network +addresses both in the configuration files and in the system firewall rulesensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management +stationsensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictiveensure that any MIB files' permissions are also 640 or more restrictive + + SNMP read-only community string + Specify the SNMP community string used for read-only access. + changemero + + + SNMP read-write community string + Specify the SNMP community string used for read-write access. + changemerw + + + Ensure SNMP Read Write is disabled + Edit /etc/snmp/snmpd.conf, remove any rwuser entries. +Once the read write users have been removed, restart the SNMP service: +$ sudo service snmpd restart + Certain SNMP settings can permit users to execute system behaviors from user +writes to the community strings. +This may permit a compromised account to execute commands on a remote system. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q net-snmp; then + +if grep -s "rwuser" /etc/snmp/snmpd.conf | grep -qv "^#"; then + sed -i "/^\s*#/b;/rwuser/ s/^/#/" /etc/snmp/snmpd.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + Ensure Default SNMP Password Is Not Used + Edit /etc/snmp/snmpd.conf, remove or change the default community strings of +public and private. +This profile configures new read-only community string to and read-write community string to . +Once the default community strings have been changed, restart the SNMP service: +$ sudo service snmpd restart + CCI-000366 + IA-5(e) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + Whether active or not, default simple network management protocol (SNMP) community +strings must be changed to maintain security. If the service is running with the +default authenticators, then anyone can gather data about the system and the network +and use the information to potentially compromise the integrity of the system and +network(s). + + # Remediation is applicable only in certain platforms +if rpm --quiet -q net-snmp; then + +#!/bin/bash + + +var_snmpd_ro_string="" + +var_snmpd_rw_string="" + + + +# remediate read-only community string +if grep -q 'public' /etc/snmp/snmpd.conf; then + sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf +fi + +# remediate read-write community string +if grep -q 'private' /etc/snmp/snmpd.conf; then + sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-IA-5(e) + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - snmpd_not_default_password +- name: XCCDF Value var_snmpd_ro_string # promote to variable + set_fact: + var_snmpd_ro_string: !!str + tags: + - always +- name: XCCDF Value var_snmpd_rw_string # promote to variable + set_fact: + var_snmpd_rw_string: !!str + tags: + - always + +- name: Check if file /etc/snmp/snmpd.conf exists + stat: + path: /etc/snmp/snmpd.conf + register: snmpd + when: '"net-snmp" in ansible_facts.packages' + tags: + - NIST-800-53-IA-5(e) + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - snmpd_not_default_password + +- name: Replace all instances of SNMP RO strings + replace: + path: /etc/snmp/snmpd.conf + regexp: public + replace: '{{ var_snmpd_ro_string }}' + when: + - '"net-snmp" in ansible_facts.packages' + - (snmpd.stat.exists is defined and snmpd.stat.exists) + tags: + - NIST-800-53-IA-5(e) + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - snmpd_not_default_password + +- name: Replace all instances of SNMP RW strings + replace: + path: /etc/snmp/snmpd.conf + regexp: private + replace: '{{ var_snmpd_rw_string }}' + when: + - '"net-snmp" in ansible_facts.packages' + - (snmpd.stat.exists is defined and snmpd.stat.exists) + tags: + - NIST-800-53-IA-5(e) + - configure_strategy + - high_severity + - low_complexity + - medium_disruption + - no_reboot_needed + - snmpd_not_default_password + + + + + + + + + + Configure SNMP Service to Use Only SNMPv3 or Newer + Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. +Upon doing that, restart the SNMP service: +$ sudo service snmpd restart + 1311 + Earlier versions of SNMP are considered insecure, as they potentially allow +unauthorized access to detailed system management information. + + + + + + + + + + + + Network Routing + A router is a very desirable target for a +potential adversary because they fulfill a variety of +infrastructure networking roles such as access to network segments, +gateways to other networks, filtering, etc. Therefore, if one is +required, the system acting as a router should be dedicated +to that purpose alone and be stored in a physically secure +location. The system's default routing software is Quagga, and +provided in an RPM package of the same name. + + Disable Quagga if Possible + If Quagga was installed and activated, but the system +does not need to act as a router, then it should be disabled +and removed. + + + + Proxy Server + A proxy server is a very desirable target for a +potential adversary because much (or all) sensitive data for a +given infrastructure may flow through it. Therefore, if one is +required, the system acting as a proxy server should be dedicated +to that purpose alone and be stored in a physically secure +location. The system's default proxy server software is Squid, and +provided in an RPM package of the same name. + + Disable Squid if Possible + If Squid was installed and activated, but the system +does not need to act as a proxy server, then it should be disabled +and removed. + + + + Remote Authentication Dial-In User Service (RADIUS) + Remote Authentication Dial-In User Service (RADIUS) is a networking +protocol, operating on port 1812 that provides centralized +Authentication, Authorization, and Accounting (AAA or Triple A) +management for users who connect and use a network service. + + + Apport Service + The Apport service provides debugging and crash reporting +features on Ubuntu distributions. + + + Deprecated services + Some deprecated software services impact the overall system security due to their behavior (leak of +confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc. + + Uninstall the inet-based telnet server + The inet-based telnet daemon should be uninstalled. + NT007(R03) + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + telnet allows clear text communications, and does not protect any +data transmission between client and server. Any confidential data can be +listened and no integrity checking is made. + +# CAUTION: This remediation script will remove inetutils-telnetd +# from the system, and may remove any packages +# that depend on inetutils-telnetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "inetutils-telnetd" ; then + dnf remove -y "inetutils-telnetd" +fi + + - name: Ensure inetutils-telnetd is removed + package: + name: inetutils-telnetd + state: absent + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_inetutils-telnetd_removed + + include remove_inetutils-telnetd + +class remove_inetutils-telnetd { + package { 'inetutils-telnetd': + ensure => 'purged', + } +} + + +package --remove=inetutils-telnetd + + + + + + + Uninstall the nis package + The support for Yellowpages should not be installed unless it is required. + NIS is the historical SUN service for central account management, more and more replaced by LDAP. +NIS does not support efficiently security constraints, ACL, etc. and should not be used. + +# CAUTION: This remediation script will remove nis +# from the system, and may remove any packages +# that depend on nis. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nis" ; then + dnf remove -y "nis" +fi + + - name: Ensure nis is removed + package: + name: nis + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_nis_removed + + include remove_nis + +class remove_nis { + package { 'nis': + ensure => 'purged', + } +} + + +package --remove=nis + + + + + + + Uninstall the ntpdate package + ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. + ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. + +# CAUTION: This remediation script will remove ntpdate +# from the system, and may remove any packages +# that depend on ntpdate. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "ntpdate" ; then + dnf remove -y "ntpdate" +fi + + - name: Ensure ntpdate is removed + package: + name: ntpdate + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_ntpdate_removed + + include remove_ntpdate + +class remove_ntpdate { + package { 'ntpdate': + ensure => 'purged', + } +} + + +package --remove=ntpdate + + + + + + + Uninstall the ssl compliant telnet server + The telnet daemon, even with ssl support, should be uninstalled. + NT007(R02) + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + telnet, even with ssl support, should not be installed. +When remote shell is required, up-to-date ssh daemon can be used. + +# CAUTION: This remediation script will remove telnetd-ssl +# from the system, and may remove any packages +# that depend on telnetd-ssl. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnetd-ssl" ; then + dnf remove -y "telnetd-ssl" +fi + + - name: Ensure telnetd-ssl is removed + package: + name: telnetd-ssl + state: absent + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_telnetd-ssl_removed + + include remove_telnetd-ssl + +class remove_telnetd-ssl { + package { 'telnetd-ssl': + ensure => 'purged', + } +} + + +package --remove=telnetd-ssl + + + + + + + Uninstall the telnet server + The telnet daemon should be uninstalled. + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + BP28(R1) + NT007(R03) + telnet allows clear text communications, and does not protect +any data transmission between client and server. Any confidential data +can be listened and no integrity checking is made.' + +# CAUTION: This remediation script will remove telnetd +# from the system, and may remove any packages +# that depend on telnetd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "telnetd" ; then + dnf remove -y "telnetd" +fi + + - name: Ensure telnetd is removed + package: + name: telnetd + state: absent + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_telnetd_removed + + include remove_telnetd + +class remove_telnetd { + package { 'telnetd': + ensure => 'purged', + } +} + + +package --remove=telnetd + + + + + + + + Docker Service + The docker service is necessary to create containers, which are + self-sufficient and self-contained applications using the resource + isolation features of the kernel. + + + APT service configuration + The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management. + + + Application Whitelisting Daemon + Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + + + Install fapolicyd Package + The fapolicyd package can be installed with the following command: + +$ sudo dnf install fapolicyd + CM-6(a) + SI-4(22) + SRG-OS-000370-GPOS-00155 + SRG-OS-000368-GPOS-00154 + CCI-001764 + fapolicyd (File Access Policy Daemon) +implements application whitelisting to decide file access rights. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "fapolicyd" ; then + dnf install -y "fapolicyd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure fapolicyd is installed + package: + name: fapolicyd + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-SI-4(22) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_fapolicyd_installed + + include install_fapolicyd + +class install_fapolicyd { + package { 'fapolicyd': + ensure => 'installed', + } +} + + +package --add=fapolicyd + + +[[packages]] +name = "fapolicyd" +version = "*" + + + + + + + + + + + NFS and RPC + The Network File System is a popular distributed filesystem for +the Unix environment, and is very widely deployed. This section discusses the +circumstances under which it is possible to disable NFS and its dependencies, +and then details steps which should be taken to secure +NFS's configuration. This section is relevant to systems operating as NFS +clients, as well as to those operating as NFS servers. + + Uninstall nfs-utils Package + The nfs-utils package can be removed with the following command: + +$ sudo dnf erase nfs-utils + SRG-OS-000095-GPOS-00049 + nfs-utils provides a daemon for the kernel NFS server and related tools. This +package also contains the showmount program. showmount queries the mount +daemon on a remote host for information about the Network File System (NFS) server on the +remote host. For example, showmount can display the clients which are mounted on +that host. + +# CAUTION: This remediation script will remove nfs-utils +# from the system, and may remove any packages +# that depend on nfs-utils. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "nfs-utils" ; then + dnf remove -y "nfs-utils" +fi + + - name: Ensure nfs-utils is removed + package: + name: nfs-utils + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_nfs-utils_removed + + include remove_nfs-utils + +class remove_nfs-utils { + package { 'nfs-utils': + ensure => 'purged', + } +} + + +package --remove=nfs-utils + + + + + + + + + + Configure All Systems which Use NFS + The steps in this section are appropriate for all systems which +run NFS, whether they operate as clients or as servers. + + Make Each System a Client or a Server, not Both + If NFS must be used, it should be deployed in the simplest +configuration possible to avoid maintainability problems which may lead to +unnecessary security exposure. Due to the reliability and security problems +caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems +which act as NFS servers to also mount filesystems via NFS. At the least, +crossed mounts (the situation in which each of two servers mounts a filesystem +from the other) should never be used. + + + Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2) + Firewalling should be done at each host and at the border +firewalls to protect the NFS daemons from remote access, since NFS servers +should never be accessible from outside the organization. However, by default +for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port +dynamically at service startup time. Dynamic ports cannot be protected by port + +filtering firewalls such as iptables. + + +Therefore, restrict each service to always use a given port, so that +firewalling can be done effectively. Note that, because of the way RPC is +implemented, it is not possible to disable the RPC Bind service even if ports +are assigned statically to all RPC services. + +In NFSv4, the mounting and locking protocols have been incorporated into the +protocol, and the server listens on the the well-known TCP port 2049. As such, +NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd +daemons, which can and should be disabled in a pure NFSv4 environment. The +rpc.mountd daemon is still required on the NFS server to setup +exports, but is not involved in any over-the-wire operations. + + Configure lockd to use static TCP port + Configure the lockd daemon to use a static TCP port as +opposed to letting the RPC Bind service dynamically assign a port. Edit the +file /etc/sysconfig/nfs. Add or correct the following line: +LOCKD_TCPPORT=lockd-port +Where lockd-port is a port which is not used by any other service on +your network. + Restrict service to always use a given port, so that firewalling can be done +effectively. + + + Configure statd to use static port + Configure the statd daemon to use a static port as +opposed to letting the RPC Bind service dynamically assign a port. Edit the +file /etc/sysconfig/nfs. Add or correct the following line: +STATD_PORT=statd-port +Where statd-port is a port which is not used by any other service on your network. + Restricting services to always use a given port enables firewalling +to be done more effectively. + + + Configure lockd to use static UDP port + Configure the lockd daemon to use a static UDP port as +opposed to letting the RPC Bind service dynamically assign a port. Edit the +file /etc/sysconfig/nfs. Add or correct the following line: +LOCKD_UDPPORT=lockd-port +Where lockd-port is a port which is not used by any other service on +your network. + Restricting services to always use a given port enables firewalling +to be done more effectively. + + + Configure mountd to use static port + Configure the mountd daemon to use a static port as +opposed to letting the RPC Bind service dynamically assign a port. Edit the +file /etc/sysconfig/nfs. Add or correct the following line: +MOUNTD_PORT=statd-port +Where mountd-port is a port which is not used by any other service on your network. + Restricting services to always use a given port enables firewalling +to be done more effectively. + + + + + Configure NFS Clients + The steps in this section are appropriate for systems which operate as NFS clients. + + Disable NFS Server Daemons + There is no need to run the NFS server daemons nfs and +rpcsvcgssd except on a small number of properly secured systems +designated as NFS servers. Ensure that these daemons are turned off on +clients. + + Disable Network File System (nfs) + The Network File System (NFS) service allows remote hosts to mount +and interact with shared filesystems on the local system. If the local system +is not designated as a NFS server then this service should be disabled. + +The nfs-server service can be disabled with the following command: +$ sudo systemctl mask --now nfs-server.service + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + Unnecessary services should be disabled to decrease the attack surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nfs-server.service' +"$SYSTEMCTL_EXEC" disable 'nfs-server.service' +"$SYSTEMCTL_EXEC" mask 'nfs-server.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfs-server.socket'; then + "$SYSTEMCTL_EXEC" stop 'nfs-server.socket' + "$SYSTEMCTL_EXEC" mask 'nfs-server.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nfs-server.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service nfs-server + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service nfs-server + systemd: + name: nfs-server.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"nfs-server.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfs_disabled + - unknown_severity + +- name: Unit Socket Exists - nfs-server.socket + command: systemctl list-unit-files nfs-server.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfs_disabled + - unknown_severity + +- name: Disable socket nfs-server + systemd: + name: nfs-server.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"nfs-server.socket" in socket_file_exists.stdout_lines[1]' + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfs_disabled + - unknown_severity + + include disable_nfs-server + +class disable_nfs-server { + service {'nfs-server': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nfs-server.service + enabled: false + mask: true + - name: nfs-server.socket + enabled: false + mask: true + + + + + + + + + + Disable Secure RPC Server Service (rpcsvcgssd) + The rpcsvcgssd service manages RPCSEC GSS contexts required to +secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd +service is the server-side of RPCSEC GSS. If the system does not require secure +RPC then this service should be disabled. + +The rpcsvcgssd service can be disabled with the following command: +$ sudo systemctl mask --now rpcsvcgssd.service + Unnecessary services should be disabled to decrease the attack surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.service' +"$SYSTEMCTL_EXEC" disable 'rpcsvcgssd.service' +"$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcsvcgssd.socket'; then + "$SYSTEMCTL_EXEC" stop 'rpcsvcgssd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcsvcgssd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcsvcgssd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service rpcsvcgssd + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service rpcsvcgssd + systemd: + name: rpcsvcgssd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"rpcsvcgssd.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcsvcgssd_disabled + - unknown_severity + +- name: Unit Socket Exists - rpcsvcgssd.socket + command: systemctl list-unit-files rpcsvcgssd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcsvcgssd_disabled + - unknown_severity + +- name: Disable socket rpcsvcgssd + systemd: + name: rpcsvcgssd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"rpcsvcgssd.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcsvcgssd_disabled + - unknown_severity + + include disable_rpcsvcgssd + +class disable_rpcsvcgssd { + service {'rpcsvcgssd': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcsvcgssd.service + enabled: false + mask: true + - name: rpcsvcgssd.socket + enabled: false + mask: true + + + + + + + + + + Specify UID and GID for Anonymous NFS Connections + To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export: + +anonuid=value greater than UID_MAX from /etc/login.defs +anongid=value greater than GID_MAX from /etc/login.defs + +Note that a value of "-1" is technically acceptable as this will randomize the anonuid and +anongid values on a Red Hat Enterprise Linux based NFS server. While acceptable from a security perspective, +a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. +Alternatively, functionally equivalent values of 60001, 65534, 65535 may be used. + Specifying the anonymous UID and GID ensures that the remote root user is mapped +to a local account which has no permissions on the system. + + + + + + + Mount Remote Filesystems with Restrictive Options + Edit the file /etc/fstab. For each filesystem whose type +(column 3) is nfs or nfs4, add the text +,nodev,nosuid to the list of mount options in column 4. If +appropriate, also add ,noexec. + +See the section titled "Restrict Partition Mount Options" for a description of +the effects of these options. In general, execution of files mounted via NFS +should be considered risky because of the possibility that an adversary could +intercept the request and substitute a malicious file. Allowing setuid files to +be executed from remote servers is particularly risky, both for this reason and +because it requires the clients to extend root-level trust to the NFS +server. + + + + + Configure NFS Servers + The steps in this section are appropriate for systems which operate as NFS servers. + + Ensure Insecure File Locking is Not Allowed + By default the NFS server requires secure file-lock requests, which require +credentials from the client in order to lock a file. Most NFS clients send +credentials with file lock requests, however, there are a few clients that +do not send credentials when requesting a file-lock, allowing the client to +only be able to lock world-readable files. To get around this, the +insecure_locks option can be used so these clients can access the +desired export. This poses a security risk by potentially allowing the +client access to data for which it does not have authorization. Remove any +instances of the insecure_locks option from the file +/etc/exports. + CCI-000764 + Allowing insecure file locking could allow for sensitive data to be +viewed or edited by an unauthorized user. + + + + + + + + + Restrict NFS Clients to Privileged Ports + By default, the server NFS implementation requires that all client requests be made +from ports less than 1024. If your organization has control over systems connected to its +network, and if NFS requests are prohibited at the border firewall, this offers some protection +against malicious requests from unprivileged users. Therefore, the default should not be changed. + +To ensure that the default has not been changed, ensure no line in +/etc/exports contains the option insecure. + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + PR.AC-4 + PR.AC-6 + PR.PT-3 + Allowing client requests to be made from ports higher than 1024 could allow a unprivileged +user to initiate an NFS connection. If the unprivileged user account has been compromised, an +attacker could gain access to data on the NFS server. + + + Use Root-Squashing on All Exports + If a filesystem is exported using root squashing, requests from root on the client +are considered to be unprivileged (mapped to a user such as nobody). This provides some mild +protection against remote abuse of an NFS server. Root squashing is enabled by default, and +should not be disabled. + +Ensure that no line in /etc/exports contains the option no_root_squash. + If the NFS server allows root access to local file systems from remote hosts, this +access could be used to compromise the system. + + + Ensure All-Squashing Disabled On All Exports + The all_squash maps all uids and gids to an anonymous user. +This should be disabled by removing any instances of the +all_squash option from the file /etc/exports. + The all_squash option maps all client requests to a single anonymous +uid/gid on the NFS server, negating the ability to track file access +by user ID. + + + + + + Export Filesystems Read-Only if Possible + If a filesystem is being exported so that users can view the files in a convenient +fashion, but there is no need for users to edit those files, exporting the filesystem read-only +removes an attack vector against the server. The default filesystem export mode is ro, +so do not specify rw without a good reason. + + + Use Access Lists to Enforce Authorization Restrictions + When configuring NFS exports, ensure that each export line in /etc/exports contains +a list of hosts which are allowed to access that export. If no hosts are specified on an export line, +then that export is available to any remote host which requests it. All lines of the exports file should +specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that +unknown or remote hosts will be denied. + +Authorized hosts can be specified in several different formats: +Name or alias that is recognized by the resolverFully qualified domain nameIP addressIP subnets in the format address/netmask or address/CIDR + + + Configure the Exports File Restrictively + Linux's NFS implementation uses the file /etc/exports to control what filesystems +and directories may be accessed via NFS. (See the exports(5) manpage for more information about the +format of this file.) + +The syntax of the exports file is not necessarily checked fully on reload, and syntax errors +can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying +the file. + +The syntax of each line in /etc/exports is: +/DIR host1(opt1,opt2) host2(opt3) +where /DIR is a directory or filesystem to export, hostN is an IP address, netblock, +hostname, domain, or netgroup to which to export, and optN is an option. + + + + Disable All NFS Services if Possible + If there is not a reason for the system to operate as either an +NFS client or an NFS server, follow all instructions in this section to disable +subsystems required by NFS. + The steps in this section will prevent a system +from operating as either an NFS client or an NFS server. Only perform these +steps on systems which do not need NFS at all. + + + Disable Services Used Only by NFS + If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd. + +All of these daemons run with elevated privileges, and many listen for network +connections. If they are not needed, they should be disabled to improve system +security posture. + + + Disable Network File System Lock Service (nfslock) + The Network File System Lock (nfslock) service starts the required +remote procedure call (RPC) processes which allow clients to lock files on the +server. If the local system is not configured to mount NFS filesystems then +this service should be disabled. + +The nfslock service can be disabled with the following command: +$ sudo systemctl mask --now nfslock.service + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'nfslock.service' +"$SYSTEMCTL_EXEC" disable 'nfslock.service' +"$SYSTEMCTL_EXEC" mask 'nfslock.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^nfslock.socket'; then + "$SYSTEMCTL_EXEC" stop 'nfslock.socket' + "$SYSTEMCTL_EXEC" mask 'nfslock.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'nfslock.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service nfslock + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service nfslock + systemd: + name: nfslock.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"nfslock.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfslock_disabled + - unknown_severity + +- name: Unit Socket Exists - nfslock.socket + command: systemctl list-unit-files nfslock.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfslock_disabled + - unknown_severity + +- name: Disable socket nfslock + systemd: + name: nfslock.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"nfslock.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_nfslock_disabled + - unknown_severity + + include disable_nfslock + +class disable_nfslock { + service {'nfslock': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: nfslock.service + enabled: false + mask: true + - name: nfslock.socket + enabled: false + mask: true + + + + + + + Disable Secure RPC Client Service (rpcgssd) + The rpcgssd service manages RPCSEC GSS contexts required to secure protocols +that use RPC (most often Kerberos and NFS). The rpcgssd service is the +client-side of RPCSEC GSS. If the system does not require secure RPC then this +service should be disabled. + +The rpcgssd service can be disabled with the following command: +$ sudo systemctl mask --now rpcgssd.service + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcgssd.service' +"$SYSTEMCTL_EXEC" disable 'rpcgssd.service' +"$SYSTEMCTL_EXEC" mask 'rpcgssd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcgssd.socket'; then + "$SYSTEMCTL_EXEC" stop 'rpcgssd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcgssd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcgssd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service rpcgssd + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service rpcgssd + systemd: + name: rpcgssd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"rpcgssd.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcgssd_disabled + - unknown_severity + +- name: Unit Socket Exists - rpcgssd.socket + command: systemctl list-unit-files rpcgssd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcgssd_disabled + - unknown_severity + +- name: Disable socket rpcgssd + systemd: + name: rpcgssd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"rpcgssd.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcgssd_disabled + - unknown_severity + + include disable_rpcgssd + +class disable_rpcgssd { + service {'rpcgssd': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcgssd.service + enabled: false + mask: true + - name: rpcgssd.socket + enabled: false + mask: true + + + + + + + Disable RPC ID Mapping Service (rpcidmapd) + The rpcidmapd service is used to map user names and groups to UID +and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then +this service should be disabled. + +The rpcidmapd service can be disabled with the following command: +$ sudo systemctl mask --now rpcidmapd.service + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rpcidmapd.service' +"$SYSTEMCTL_EXEC" disable 'rpcidmapd.service' +"$SYSTEMCTL_EXEC" mask 'rpcidmapd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rpcidmapd.socket'; then + "$SYSTEMCTL_EXEC" stop 'rpcidmapd.socket' + "$SYSTEMCTL_EXEC" mask 'rpcidmapd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rpcidmapd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service rpcidmapd + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service rpcidmapd + systemd: + name: rpcidmapd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"rpcidmapd.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcidmapd_disabled + - unknown_severity + +- name: Unit Socket Exists - rpcidmapd.socket + command: systemctl list-unit-files rpcidmapd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcidmapd_disabled + - unknown_severity + +- name: Disable socket rpcidmapd + systemd: + name: rpcidmapd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"rpcidmapd.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_rpcidmapd_disabled + - unknown_severity + + include disable_rpcidmapd + +class disable_rpcidmapd { + service {'rpcidmapd': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rpcidmapd.service + enabled: false + mask: true + - name: rpcidmapd.socket + enabled: false + mask: true + + + + + + + + Disable netfs if Possible + To determine if any network filesystems handled by netfs are +currently mounted on the system execute the following command: +$ mount -t nfs,nfs4,smbfs,cifs,ncpfs +If the command did not return any output then disable netfs. + + + Disable Network File Systems (netfs) + The netfs script manages the boot-time mounting of several types +of networked filesystems, of which NFS and Samba are the most common. If these +filesystem types are not in use, the script can be disabled, protecting the +system somewhat against accidental or malicious changes to /etc/fstab +and against flaws in the netfs script itself. + +The netfs service can be disabled with the following command: +$ sudo systemctl mask --now netfs.service + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'netfs.service' +"$SYSTEMCTL_EXEC" disable 'netfs.service' +"$SYSTEMCTL_EXEC" mask 'netfs.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^netfs.socket'; then + "$SYSTEMCTL_EXEC" stop 'netfs.socket' + "$SYSTEMCTL_EXEC" mask 'netfs.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'netfs.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service netfs + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service netfs + systemd: + name: netfs.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"netfs.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_netfs_disabled + - unknown_severity + +- name: Unit Socket Exists - netfs.socket + command: systemctl list-unit-files netfs.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_netfs_disabled + - unknown_severity + +- name: Disable socket netfs + systemd: + name: netfs.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"netfs.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_netfs_disabled + - unknown_severity + + include disable_netfs + +class disable_netfs { + service {'netfs': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: netfs.service + enabled: false + mask: true + - name: netfs.socket + enabled: false + mask: true + + + + + + + + + + Samba(SMB) Microsoft Windows File Sharing Server + When properly configured, the Samba service allows +Linux systems to provide file and print sharing to Microsoft +Windows systems. There are two software packages that provide +Samba support. The first, samba-client, provides a series of +command line tools that enable a client system to access Samba +shares. The second, simply labeled samba, provides the Samba +service. It is this second package that allows a Linux system to +act as an Active Directory server, a domain controller, or as a +domain member. Only the samba-client package is installed by +default. + + Configure Samba if Necessary + All settings for the Samba daemon can be found in +/etc/samba/smb.conf. Settings are divided between a +[global] configuration section and a series of user +created share definition sections meant to describe file or print +shares on the system. By default, Samba will operate in user mode +and allow client systems to access local home directories and +printers. It is recommended that these settings be changed or that +additional limitations be set in place. + + Restrict Printer Sharing + By default, Samba utilizes the CUPS printing service to enable +printer sharing with Microsoft Windows workstations. If there are no printers +on the local system, or if printer sharing with Microsoft Windows is not +required, disable the printer sharing capability by commenting out the +following lines, found in /etc/samba/smb.conf: +[global] + load printers = yes + cups options = raw +[printers] + comment = All Printers + path = /usr/spool/samba + browseable = no + guest ok = no + writable = no + printable = yes +There may be other options present, but these are the only options enabled and +uncommented by default. Removing the [printers] share should be enough +for most users. If the Samba printer sharing capability is needed, consider +disabling the Samba network browsing capability or restricting access to a +particular set of users or network addresses. Set the valid users +parameter to a small subset of users or restrict it to a particular group of +users with the shorthand @. Separate each user or group of users with +a space. For example, under the [printers] share: +[printers] + valid users = user @printerusers + + + Restrict SMB File Sharing to Configured Networks + Only users with local user accounts will be able to log in to +Samba shares by default. Shares can be limited to particular users or network +addresses. Use the hosts allow and hosts deny directives +accordingly, and consider setting the valid users directive to a limited subset +of users or to a group of users. Separate each address, user, or user group +with a space as follows for a particular share or global: +[share] + hosts allow = 192.168.1. 127.0.0.1 + valid users = userone usertwo @usergroup +It is also possible to limit read and write access to particular users with the +read list and write list options, though the permissions set by the system +itself will override these settings. Set the read only attribute for each share +to ensure that global settings will not accidentally override the individual +share settings. Then, as with the valid users directive, separate each user or +group of users with a space: +[share] + read only = yes + write list = userone usertwo @usergroup + + + + Disable Samba if Possible + Even after the Samba server package has been installed, it +will remain disabled. Do not enable this service unless it is +absolutely necessary to provide Microsoft Windows file and print +sharing functionality. + + + + Web Server + The web server is responsible for providing access to +content via the HTTP protocol. Web servers represent a significant +security risk because: + +The HTTP port is commonly probed by malicious sourcesWeb server software is very complex, and includes a long +history of vulnerabilitiesThe HTTP protocol is unencrypted and vulnerable to passive +monitoring + +The system's default web server software is Apache 2 and is +provided in the RPM package httpd. + + Disable Apache if Possible + If Apache was installed and activated, but the system +does not need to act as a web server, then it should be disabled +and removed from the system. + + + Install Apache if Necessary + If httpd was not installed and activated, but the system +needs to act as a web server, then it should be installed on the system. Follow these +guidelines to install it defensively. The httpd package can be installed with +the following command: +$ sudo yum install httpd +This method of installation is recommended over installing the "Web Server" +package group during the system installation process. The Web Server package +group includes many packages which are likely extraneous, while the +command-line method installs only the required httpd package itself. + + Confirm Minimal Built-in Modules Installed + The default httpd installation minimizes the number of +modules that are compiled directly into the binary (core prefork http_core +mod_so). This minimizes risk by limiting the capabilities allowed by the +web server. + +Query the set of compiled-in modules using the following command: +$ httpd -l +If the number of compiled-in modules is significantly larger than the +aforementioned set, this guide recommends re-installing httpd with a +reduced configuration. Minimizing the number of modules that are compiled into +the httpd binary, reduces risk by limiting the capabilities allowed by +the webserver. + + + + Secure Apache Configuration + The httpd configuration file is +/etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder +of this section to this file. + + HTTPD Log Level + The setting for LogLevel in /etc/httpd/conf/httpd.conf + alert + crit + warn + emerg + error + warn + + + Maximum KeepAlive Requests for HTTPD + The setting for MaxKeepAliveRequests in httpd.conf + 100 + 1000 + 10000 + 100000 + 500 + 100 + + + Configure PHP Securely + PHP is a widely-used and often misconfigured server-side scripting language. It should +be used with caution, but configured appropriately when needed. + +Review /etc/php.ini and make the following changes if possible: +# Do not expose PHP error messages to external users +display_errors = Off + +# Enable safe mode +safe_mode = On + +# Only allow access to executables in isolated directory +safe_mode_exec_dir = php-required-executables-path + +# Limit external access to PHP environment +safe_mode_allowed_env_vars = PHP_ + +# Restrict PHP information leakage +expose_php = Off + +# Log all errors +log_errors = On + +# Do not register globals for input data +register_globals = Off + +# Minimize allowable PHP post size +post_max_size = 1K + +# Ensure PHP redirects appropriately +cgi.force_redirect = 0 + +# Disallow uploading unless necessary +file_uploads = Off + +# Disallow treatment of file requests as fopen calls +allow_url_fopen = Off + +# Enable SQL safe mode +sql.safe_mode = On + + + + Configure Operating System to Protect Web Server + The following configuration steps should be taken on the system which hosts the +web server, in order to provide as safe an environment as possible for the web server. + + Restrict File and Directory Access + Minimize access to critical httpd files and directories. + + + Run httpd in a chroot Jail if Practical + Running httpd inside a chroot jail is designed to isolate the +web server process to a small section of the filesystem, limiting the damage if +it is compromised. Versions of Apache greater than 2.2.10 (such as the one +included with Fedora) provide the ChrootDir directive. To run Apache +inside a chroot jail in /chroot/apache, add the following line to +/etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This +necessitates placing all files required by httpd inside +/chroot/apache , including httpd's binaries, modules, +configuration files, and served web pages. The details of this configuration +are beyond the scope of this guide. This may also require additional SELinux +configuration. + + + + Restrict Web Server Information Leakage + The ServerTokens and ServerSignature directives determine how +much information the web server discloses about the configuration of the +system. + + + Use Denial-of-Service Protection Modules + Denial-of-service attacks are difficult to detect and prevent while maintaining +acceptable access to authorized users. However, some traffic-shaping +modules can be used to address the problem. Well-known DoS protection modules include: +mod_cband mod_bwshare mod_limitipconn mod_evasive +Denial-of-service prevention should be implemented for a web server if such a threat exists. +However, specific configuration details are very dependent on the environment and often best left +at the discretion of the administrator. + + + Minimize Web Server Loadable Modules + A default installation of httpd includes a plethora of dynamically shared objects (DSO) +that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be +disabled in the configuration file by removing the corresponding LoadModule directive. + +Note: A DSO only provides additional functionality if associated directives are included +in the httpd configuration file. It should also be noted that removing a DSO will produce +errors on httpd startup if the configuration file contains directives that apply to that +module. Refer to http://httpd.apache.org/docs/ for details on which directives +are associated with each DSO. + +Following each DSO removal, the configuration can be tested with the following command +to check if everything still works: +$ sudo service httpd configtest +The purpose of each of the modules loaded by default will now be addressed one at a time. +If none of a module's directives are being used, remove it. + + httpd Core Modules + These modules comprise a basic subset of modules that are likely needed for base httpd +functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf: +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule authn_default_module modules/mod_authn_default.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_default_module modules/mod_authz_default.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule logio_module modules/mod_logio.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule mime_module modules/mod_mome.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +LoadModule alias_module modules/mod_alias.so +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. + + Minimize Various Optional Components + The following modules perform very specific tasks, sometimes providing access to +just a few additional directives. If such functionality is not required (or if you +are not using these directives), comment out the associated module: +External filtering (response passed through external program prior to client delivery) +#LoadModule ext_filter_module modules/mod_ext_filter.soUser-specified Cache Control and Expiration +#LoadModule expires_module modules/mod_expires.soCompression Output Filter (provides content compression prior to client delivery) +#LoadModule deflate_module modules/mod_deflate.soHTTP Response/Request Header Customization +#LoadModule headers_module modules/mod_headers.soUser activity monitoring via cookies +#LoadModule usertrack_module modules/mod_usertrack.soDynamically configured mass virtual hosting +#LoadModule vhost_alias_module modules/mod_vhost_alias.so +Minimizing the number of loadable modules available to the web server reduces risk +by limiting the capabilities allowed by the web server. + + + Minimize Modules for HTTP Basic Authentication + The following modules are necessary if this web server will provide content that will +be restricted by a password. + +Authentication can be performed using local plain text password files (authn_file), +local DBM password files (authn_dbm) or an LDAP directory. The only module required by +the web server depends on your choice of authentication. Comment out the modules you don't +need from the following: +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_dbm_module modules/mod_authn_dbm.so +authn_alias allows for authentication based on aliases. authn_anon +allows anonymous authentication similar to that of anonymous ftp sites. authz_owner +allows authorization based on file ownership. authz_dbm allows for authorization +based on group membership if the web server is using DBM authentication. + +If the above functionality is unnecessary, comment out the related module: +#LoadModule authn_alias_module modules/mod_authn_alias.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so + + + Minimize Configuration Files Included + The Include directive directs httpd to load supplementary configuration files +from a provided path. The default configuration loads all files that end in .conf +from the /etc/httpd/conf.d directory. + +To restrict excess configuration, the following line should be commented out and +replaced with Include directives that only reference required configuration files: +#Include conf.d/*.conf +If the above change was made, ensure that the SSL encryption remains loaded by +explicitly including the corresponding configuration file: +Include conf.d/ssl.conf +If PHP is necessary, a similar alteration must be made: +Include conf.d/php.conf + +Explicitly listing the configuration files to be loaded during web server start-up avoids +the possibility of unwanted or malicious configuration files to be automatically included as +part of the server's running configuration. + + + + + Use Appropriate Modules to Improve httpd's Security + Among the modules available for httpd are several whose use may improve the +security of the web server installation. This section recommends and discusses +the deployment of security-relevant modules. + + Deploy mod_ssl + Because HTTP is a plain text protocol, all traffic is susceptible to passive +monitoring. If there is a need for confidentiality, SSL should be configured +and enabled to encrypt content. + +Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl. +The modules share a considerable amount of code and should be nearly identical +in functionality. If FIPS 140-2 validation is required, then mod_nss should +be used. If it provides some feature or its greater compatibility is required, +then mod_ssl should be used. + + + Deploy mod_security + The security module provides an application level firewall for httpd. +Following its installation with the base ruleset, specific configuration advice can be found at + + http://www.modsecurity.org/ to design a policy that best matches the security needs of +the web applications. Usage of mod_security is highly recommended for some environments, +but it should be noted this module does not ship with Red Hat Enterprise Linux itself, +and instead is provided via Extra Packages for Enterprise Linux (EPEL). +For more information on EPEL please refer to + http://fedoraproject.org/wiki/EPEL. + + + + Directory Restrictions + The Directory tags in the web server configuration file allow finer grained access +control for a specified directory. All web directories should be configured on a +case-by-case basis, allowing access only where needed. + + + Configure HTTPD-Served Web Content Securely + Running httpd inside a chroot jail is designed to isolate the +web server process to a small section of the filesystem, limiting the damage if +it is compromised. Versions of Apache greater than 2.2.10 (such as the one +included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache +inside a chroot jail in /chroot/apache, add the following line to +/etc/httpd/conf/httpd.conf: ChrootDir /chroot/apache This +necessitates placing all files required by httpd inside +/chroot/apache , including httpd's binaries, modules, +configuration files, and served web pages. The details of this configuration +are beyond the scope of this guide. This may also require additional SELinux +configuration. + + Web Login Banner Verbiage + Enter an appropriate login banner for your organization. Please note that new lines must +be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'. + ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ + ^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$ + ^I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$ + ^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication\,[\s\n]+transmission\,[\s\n]+processing\,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems\,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations\,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity\,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes\,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information\,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user\,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use\,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$ + ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + + + + Configure PERL Securely + PERL (Practical Extraction and Report Language) is an interpreted language +optimized for scanning arbitrary text files, extracting information from those +text files, and printing reports based on that information. The language is +often used in shell scripting and is intended to be practical, easy to use, and +efficient means of generating interactive web pages for the user. + + + + + X Window System + The X Window System implementation included with the +system is called X.org. + + Disable X Windows + Unless there is a mission-critical reason for the +system to run a graphical user interface, ensure X is not set to start +automatically at boot and remove the X Windows software packages. +There is usually no reason to run X Windows +on a dedicated server system, as it increases the system's attack surface and consumes +system resources. Administrators of server systems should instead login via +SSH or on the text console. + + Remove the X Windows Package Group + By removing the xorg-x11-server-common package, the system no longer has X Windows +installed. If X Windows is not installed then the system cannot boot into graphical user mode. +This prevents the system from being accidentally or maliciously booted into a graphical.target +mode. To do so, run the following command: +$ sudo dnf groupremove "X Window System" +$ sudo dnf remove xorg-x11-server-common + The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your +overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target +which might bring your system to an inconsistent state requiring additional configuration to access the system +again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before +continuing installation. + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.13 + SR 2.6 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.6.6 + APO13.01 + DSS01.04 + DSS05.02 + DSS05.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.6.2.1 + A.6.2.2 + 12 + 15 + 8 + Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security +vulnerabilities and should not be installed unless approved and documented. + +# CAUTION: This remediation script will remove xorg-x11-server-common +# from the system, and may remove any packages +# that depend on xorg-x11-server-common. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "xorg-x11-server-common" ; then + dnf remove -y "xorg-x11-server-common" +fi + + - name: Ensure xorg-x11-server-common is removed + package: + name: xorg-x11-server-common + state: absent + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_xorg-x11-server-common_removed + + include remove_xorg-x11-server-common + +class remove_xorg-x11-server-common { + package { 'xorg-x11-server-common': + ensure => 'purged', + } +} + + +package --remove=xorg-x11-server-common + + + + + + + + + + Disable X Windows Startup By Setting Default Target + Systems that do not require a graphical user interface should only boot by +default into multi-user.target mode. This prevents accidental booting of the system +into a graphical.target mode. Setting the system's default target to +multi-user.target will prevent automatic startup of the X server. To do so, run: +$ systemctl set-default multi-user.target +You should see the following output: +Removed symlink /etc/systemd/system/default.target. +Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target. + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-3 + PR.PT-4 + SRG-OS-000480-GPOS-00227 + SR 1.13 + SR 2.6 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.6.6 + APO13.01 + DSS01.04 + DSS05.02 + DSS05.03 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.6.2.1 + A.6.2.2 + 12 + 15 + 8 + Services that are not required for system and application processes +must not be active to decrease the attack surface of the system. X windows has a +long history of security vulnerabilities and should not be used unless approved +and documented. + +systemctl set-default multi-user.target + + - name: Switch to multi-user runlevel + file: + src: /usr/lib/systemd/system/multi-user.target + dest: /etc/systemd/system/default.target + state: link + force: true + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - reboot_required + - restrict_strategy + - xwindows_runlevel_target + + + + + + + + + + + + Kerberos + The Kerberos protocol is used for authentication across +non-secure network. Authentication can happen between +various types of principals -- users, service, or hosts. +Their identity and encryption keys can be stored in keytab +files. + + + Disable Kerberos by removing host keytab + Kerberos is not an approved key distribution method for +Common Criteria. To prevent using Kerberos by system daemons, +remove the Kerberos keytab files, especially +/etc/krb5.keytab. + FTP_ITC_EXT.1 + SRG-OS-000120-GPOS-00061 + 0418 + 1055 + 1402 + CCI-000803 + The key derivation function (KDF) in Kerberos is not FIPS compatible. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +rm -f /etc/*.keytab + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + + FTP Server + FTP is a common method for allowing remote access to +files. Like telnet, the FTP protocol is unencrypted, which means +that passwords and other data transmitted during the session can be +captured and that the session is vulnerable to hijacking. +Therefore, running the FTP server software is not recommended. + +However, there are some FTP server configurations which may +be appropriate for some environments, particularly those which +allow only read-only anonymous access as a means of downloading +data available to the public. + + Disable vsftpd if Possible + To minimize attack surface, disable vsftpd if at all +possible. + + Uninstall vsftpd Package + The vsftpd package can be removed with the following command: $ sudo dnf erase vsftpd + CCI-000197 + CCI-000366 + CCI-000381 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SRG-OS-000074-GPOS-00042 + SRG-OS-000095-GPOS-00049 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Removing the vsftpd package decreases the risk of its +accidental activation. + +# CAUTION: This remediation script will remove vsftpd +# from the system, and may remove any packages +# that depend on vsftpd. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "vsftpd" ; then + dnf remove -y "vsftpd" +fi + + - name: Ensure vsftpd is removed + package: + name: vsftpd + state: absent + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_vsftpd_removed + + include remove_vsftpd + +class remove_vsftpd { + package { 'vsftpd': + ensure => 'purged', + } +} + + +package --remove=vsftpd + + + + + + + + + + + Configure vsftpd to Provide FTP Service if Necessary + The primary vsftpd configuration file is +/etc/vsftpd.conf, if that file exists, or +/etc/vsftpd/vsftpd.conf if it does not. + + Create Warning Banners for All FTP Users + +Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf + +by default. Add or correct the following configuration options: +banner_file=/etc/issue + CCI-000048 + This setting will cause the system greeting banner to be used for FTP connections as well. + + + + + + + + + Disable FTP Uploads if Possible + Is there a mission-critical reason for users to upload files via FTP? If not, +edit the vsftpd configuration file to add or correct the following configuration options: +write_enable=NO +If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions +as much as possible. + Anonymous FTP can be a convenient way to make files available for universal download. However, it is less +common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it +is necessary to ensure that files cannot be uploaded and downloaded from the same directory. + + + Place the FTP Home Directory on its Own Partition + By default, the anonymous FTP root is the home directory of the FTP user account. The df command can +be used to verify that this directory is on its own partition. + If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent +these users from filling a disk used by other services. + + + Enable Logging of All FTP Transactions + Add or correct the following configuration options within the vsftpd +configuration file, located at /etc/vsftpd/vsftpd.conf: +xferlog_enable=YES +xferlog_std_format=NO +log_ftp_protocol=YES + If verbose logging to vsftpd.log is done, sparse logging of +downloads to /var/log/xferlog will not also occur. However, +the information about what files were downloaded is included in the +information logged to vsftpd.log. + To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to +the FTP server are logged using the verbose vsftpd log +format. The default vsftpd log file is /var/log/vsftpd.log. + + + + + + + + + Configure Firewalls to Protect the FTP Server + +By default, iptables +blocks access to the ports used by the web server. + +To configure iptables to allow port 21 traffic, one must edit +/etc/sysconfig/iptables and +/etc/sysconfig/ip6tables (if IPv6 is in use). +Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: +-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT +Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains +the FTP connection tracking module: +IPTABLES_MODULES="ip_conntrack_ftp" + These settings configure the firewall to allow connections to an FTP server. + + +The first line allows initial connections to the FTP server port. +FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client +and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by +iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an +FTP server to operate on a system which is running a firewall. + + + Restrict the Set of Users Allowed to Access FTP + This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to +do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an +identified need for this access. + + Limit Users Allowed FTP Access if Necessary + If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: +userlist_enable=YES +userlist_file=/etc/vsftp.ftpusers +userlist_deny=NO +Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: +USERNAME +If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well. +anonymous +ftp + Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified. + + + Restrict Access to Anonymous Users if Possible + Is there a mission-critical reason for users to transfer files to/from their own accounts +using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd +configuration file. Add or correct the following configuration option: + +local_enable=NO + +If non-anonymous FTP logins are necessary, follow the guidance in the remainder of +this section to secure these logins as much as possible. + CM-7(a) + CM-7(b) + CM-6(a) + AC-3 + AC-17(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + 9 + PR.AC-4 + PR.AC-6 + PR.IP-1 + PR.PT-3 + The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients +and servers are widely available, and since SSH provides support for a transfer +mode which resembles FTP in user interface, there is no good reason to allow +password-based FTP access.' + + + + + Use vsftpd to Provide FTP Service if Necessary + If your use-case requires FTP service, install and +set-up vsftpd to provide it. + + Install vsftpd Package + If this system must operate as an FTP server, install the vsftpd package via the standard channels. +The vsftpd package can be installed with the following command: + +$ sudo dnf install vsftpd + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + PR.IP-1 + PR.PT-3 + After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with +Red Hat Enterprise Linux to distributing vsftpd. For security +and for consistency with future Red Hat releases, the use of vsftpd is recommended. + +if ! rpm -q --quiet "vsftpd" ; then + dnf install -y "vsftpd" +fi + + - name: Ensure vsftpd is installed + package: + name: vsftpd + state: present + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_vsftpd_installed + + include install_vsftpd + +class install_vsftpd { + package { 'vsftpd': + ensure => 'installed', + } +} + + +package --add=vsftpd + + +[[packages]] +name = "vsftpd" +version = "*" + + + + + + + + + IMAP and POP3 Server + Dovecot provides IMAP and POP3 services. It is not +installed by default. The project page at + http://www.dovecot.org +contains more detailed information about Dovecot +configuration. + + Configure Dovecot if Necessary + If the system will operate as an IMAP or +POP3 server, the dovecot software should be configured securely by following +the recommendations below. + + Support Only the Necessary Protocols + Dovecot supports the IMAP and POP3 protocols, as well as +SSL-protected versions of those protocols. Configure the Dovecot server +to support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf. +Add or correct the following lines, replacing PROTOCOL with +only the subset of protocols (imap, imaps, +pop3, pop3s) required: +protocols = PROTOCOL +If possible, require SSL protection for all transactions. The SSL +protocol variants listen on alternate ports (995 instead of 110 for +pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. +An alternate approach is to listen on the standard port and require the +client to use the STARTTLS command before authenticating. + + + Enable SSL Support + SSL should be used to encrypt network traffic between the +Dovecot server and its clients. Users must authenticate to the Dovecot +server in order to read their mail, and passwords should never be +transmitted in clear text. In addition, protecting mail as it is +downloaded is a privacy measure, and clients may use SSL certificates +to authenticate the server, preventing another system from impersonating +the server. + + + Allow IMAP Clients to Access the Server + +The default iptables configuration does not allow inbound access to any services. +This modification will allow remote hosts to initiate connections to the IMAP daemon, +while keeping all other ports on the server in their default protected state. +To configure iptables to allow port 143 traffic, one must edit +/etc/sysconfig/iptables and +/etc/sysconfig/ip6tables (if IPv6 is in use). +Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain: +-A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT + + + + Disable Dovecot + If the system does not need to operate as an IMAP or +POP3 server, the dovecot software should be disabled and removed. + + + + Network Time Protocol + The Network Time Protocol is used to manage the system +clock over a network. Computer clocks are not very accurate, so +time will drift unpredictably on unmanaged systems. Central time +protocols can be used both to ensure that time is consistent among +a network of systems, and that their time is consistent with the +outside world. + +If every system on a network reliably reports the same time, then it is much +easier to correlate log messages in case of an attack. In addition, a number of +cryptographic protocols (such as Kerberos) use timestamps to prevent certain +types of attacks. If your network does not have synchronized time, these +protocols may be unreliable or even unusable. + +Depending on the specifics of the network, global time accuracy may be just as +important as local synchronization, or not very important at all. If your +network is connected to the Internet, using a public timeserver (or one +provided by your enterprise) provides globally accurate timestamps which may be +essential in investigating or responding to an attack which originated outside +of your network. + +A typical network setup involves a small number of internal systems operating +as NTP servers, and the remainder obtaining time information from those +internal servers. + +There is a choice between the daemons ntpd and chronyd, which +are available from the repositories in the ntp and chrony +packages respectively. + +The default chronyd daemon can work well when external time references +are only intermittently accesible, can perform well even when the network is +congested for longer periods of time, can usually synchronize the clock faster +and with better time accuracy, and quickly adapts to sudden changes in the rate +of the clock, for example, due to changes in the temperature of the crystal +oscillator. Chronyd should be considered for all systems which are +frequently suspended or otherwise intermittently disconnected and reconnected +to a network. Mobile and virtual systems for example. + +The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905), +including broadcast, multicast, manycast clients and servers, and the orphan +mode. It also supports extra authentication schemes based on public-key +cryptography (RFC 5906). The NTP daemon (ntpd) should be considered +for systems which are normally kept permanently on. Systems which are required +to use broadcast or multicast IP, or to perform authentication of packets with +the Autokey protocol, should consider using ntpd. + +Refer to + + + https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/servers/Configuring_NTP_Using_the_chrony_Suite/ + +for more detailed comparison of features of chronyd +and ntpd daemon features respectively, and for further guidance how to +choose between the two NTP daemons. + +The upstream manual pages at + http://chrony.tuxfamily.org/manual.html for +chronyd and + http://www.ntp.org for ntpd provide additional +information on the capabilities and configuration of each of the NTP daemons. + + + Vendor Approved Time Servers + The list of vendor-approved time servers + 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org + 0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org + 0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org + 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org + + + Maximum NTP or Chrony Poll + The maximum NTP or Chrony poll interval number in seconds specified as a power of two. + 17 + 16 + 10 + 10 + + + The Chrony package is installed + System time should be synchronized between all systems in an environment. This is +typically done by establishing an authoritative time server or set of servers and having all +systems synchronize their clocks to them. +The chrony package can be installed with the following command: + +$ sudo dnf install chrony + 0988 + 1405 + FMT_SMF_EXT.1 + SRG-OS-000355-GPOS-00143 + BP28(R43) + Time synchronization is important to support time sensitive security mechanisms like +Kerberos and also ensures log files have consistent time records across the enterprise, +which aids in forensic investigations. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "chrony" ; then + dnf install -y "chrony" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure chrony is installed + package: + name: chrony + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_chrony_installed + + include install_chrony + +class install_chrony { + package { 'chrony': + ensure => 'installed', + } +} + + +package --add=chrony + + +[[packages]] +name = "chrony" +version = "*" + + + + + + + + + + Install the ntp service + The ntpd service should be installed. + NT012(R03) + CCI-000160 + CM-6(a) + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Req-10.4 + Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "ntp" ; then + dnf install -y "ntp" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure ntp is installed + package: + name: ntp + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4 + - enable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - package_ntp_installed + + include install_ntp + +class install_ntp { + package { 'ntp': + ensure => 'installed', + } +} + + +package --add=ntp + + +[[packages]] +name = "ntp" +version = "*" + + + + + + + The Chronyd service is enabled + chrony is a daemon which implements the Network Time Protocol (NTP) is designed to +synchronize system clocks across a variety of systems and use a source that is highly +accurate. More information on chrony can be found at + + http://chrony.tuxfamily.org/. +Chrony can be configured to be a client and/or a server. +To enable Chronyd service, you can run: +# systemctl enable chronyd.service +This recommendation only applies if chrony is in use on the system. + 0988 + 1405 + If chrony is in use on the system proper configuration is vital to ensuring time +synchronization is working properly. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'chronyd.service' +"$SYSTEMCTL_EXEC" start 'chronyd.service' +"$SYSTEMCTL_EXEC" enable 'chronyd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service chronyd + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service chronyd + service: + name: chronyd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"chrony" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_chronyd_enabled + + include enable_chronyd + +class enable_chronyd { + service {'chronyd': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Enable the NTP Daemon + + +Run the following command to determine the current status of the +chronyd service: +$ systemctl is-active chronyd +If the service is running, it should return the following: active +Note: The chronyd daemon is enabled by default. + + + +Run the following command to determine the current status of the +ntpd service: +$ systemctl is-active ntpd +If the service is running, it should return the following: active +Note: The ntpd daemon is not enabled by default. Though as mentioned +in the previous sections in certain environments the ntpd daemon might +be preferred to be used rather than the chronyd one. Refer to: + + + https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html + +for guidance which NTP daemon to choose depending on the environment used. + 3.3.7 + CCI-000160 + CM-6(a) + AU-8(1)(a) + PR.PT-1 + SRG-OS-000356-VMM-001340 + Req-10.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + 0988 + 1405 + Enabling some of chronyd or ntpd services ensures +that the NTP daemon will be running and that the system will synchronize its +time to any servers specified. This is important whether the system is +configured to be a client (and synchronize only its own clock) or it is also +acting as an NTP server to other systems. Synchronizing time is essential for +authentication services such as Kerberos, but it is also important for +maintaining accurate logs and auditing possible security breaches. + +The chronyd and ntpd NTP daemons offer all of the +functionality of ntpdate, which is now deprecated. Additional +information on this is available at + + http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if rpm -q --quiet chrony ; then + if ! /usr/sbin/pidof ntpd ; then + /usr/bin/systemctl enable "chronyd" + /usr/bin/systemctl start "chronyd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + /usr/bin/systemctl reset-failed "chronyd" + fi +elif rpm -q --quiet ntp ; then + /usr/bin/systemctl enable "ntpd" + /usr/bin/systemctl start "ntpd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + /usr/bin/systemctl reset-failed "ntpd" +else + if ! rpm -q --quiet "chrony" ; then + dnf install -y "chrony" + fi + /usr/bin/systemctl enable "chronyd" + /usr/bin/systemctl start "chronyd" + # The service may not be running because it has been started and failed, + # so let's reset the state so OVAL checks pass. + # Service should be 'inactive', not 'failed' after reboot though. + /usr/bin/systemctl reset-failed "chronyd" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Enable the NTP Daemon + +The ntpd service can be enabled with the following command: +$ sudo systemctl enable ntpd.service + NT012(R03) + CCI-000160 + CM-6(a) + AU-8(1)(a) + PR.PT-1 + Req-10.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Enabling the ntpd service ensures that the ntpd +service will be running and that the system will synchronize its time to +any servers specified. This is important whether the system is configured to be +a client (and synchronize only its own clock) or it is also acting as an NTP +server to other systems. Synchronizing time is essential for authentication +services such as Kerberos, but it is also important for maintaining accurate +logs and auditing possible security breaches. + +The NTP daemon offers all of the functionality of ntpdate, which is now +deprecated. Additional information on this is available at + + http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ntp.service' +"$SYSTEMCTL_EXEC" start 'ntp.service' +"$SYSTEMCTL_EXEC" enable 'ntp.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service ntp + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service ntp + service: + name: ntp + enabled: 'yes' + state: started + masked: 'no' + when: + - '"ntp" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-8(1)(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4 + - enable_strategy + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - service_ntp_enabled + + include enable_ntp + +class enable_ntp { + service {'ntp': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Enable the NTP Daemon + +The ntpd service can be enabled with the following command: +$ sudo systemctl enable ntpd.service + CM-6(a) + AU-8(1)(a) + PR.PT-1 + Req-10.4 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Enabling the ntpd service ensures that the ntpd +service will be running and that the system will synchronize its time to +any servers specified. This is important whether the system is configured to be +a client (and synchronize only its own clock) or it is also acting as an NTP +server to other systems. Synchronizing time is essential for authentication +services such as Kerberos, but it is also important for maintaining accurate +logs and auditing possible security breaches. + +The NTP daemon offers all of the functionality of ntpdate, which is now +deprecated. Additional information on this is available at + + http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'ntpd.service' +"$SYSTEMCTL_EXEC" start 'ntpd.service' +"$SYSTEMCTL_EXEC" enable 'ntpd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service ntpd + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service ntpd + service: + name: ntpd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"ntp" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AU-8(1)(a) + - NIST-800-53-CM-6(a) + - PCI-DSS-Req-10.4 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_ntpd_enabled + + include enable_ntpd + +class enable_ntpd { + service {'ntpd': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + Configure Time Service Maxpoll Interval + The maxpoll should be configured to + in /etc/ntp.conf or +/etc/chrony.conf to continuously poll time servers. To configure +maxpoll in /etc/ntp.conf or /etc/chrony.conf +add the following: +maxpoll + CCI-001891 + CCI-002046 + CM-6(a) + AU-8(1)(b) + PR.PT-1 + SRG-OS-000355-GPOS-00143 + SRG-OS-000356-GPOS-00144 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Inaccurate time stamps make it more difficult to correlate +events and can lead to an inaccurate analysis. Determining the correct +time a particular event occurred on a system is critical when conducting +forensic analysis and investigating system events. Sources outside the +configured acceptable allowance (drift) may be inaccurate. + + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + + + + + + + + + + + Ensure that chronyd is running under chrony user account + chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to +synchronize system clocks across a variety of systems and use a source that is highly +accurate. More information on chrony can be found at + + http://chrony.tuxfamily.org/. +Chrony can be configured to be a client and/or a server. +To ensure that chronyd is running under chrony user account, Add or edit the +OPTIONS variable in /etc/sysconfig/chronyd to include -u chrony: +OPTIONS="-u chrony" +This recommendation only applies if chrony is in use on the system. + If chrony is in use on the system proper configuration is vital to ensuring time synchronization +is working properly. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + +if grep -q 'OPTIONS=.*' /etc/sysconfig/chronyd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes + sed -i -E -e 's/\s*-u\s+\w+\s*/ /' -e 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u chrony\2/' /etc/sysconfig/chronyd +else + echo 'OPTIONS="-u chrony"' >> /etc/sysconfig/chronyd +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - chronyd_run_as_chrony_user + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Detect if file /etc/sysconfig/chronyd is not empty or missing + find: + path: /etc/sysconfig/ + patterns: chronyd + contains: ^([\s]*OPTIONS=["]?[^"]*)("?) + register: chronyd_file + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' + tags: + - chronyd_run_as_chrony_user + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Remove any previous configuration of user used to run chronyd process + replace: + path: /etc/sysconfig/chronyd + regexp: \s*-u\s+\w+\s* + replace: ' ' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' + - chronyd_file is defined and chronyd_file.matched > 0 + tags: + - chronyd_run_as_chrony_user + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Correct existing line in /etc/sysconfig/chronyd to run chronyd as chrony user + lineinfile: + path: /etc/sysconfig/chronyd + regexp: ^([\s]*OPTIONS=["]?[^"]*)("?) + line: \1 -u chrony\2 + state: present + backrefs: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' + - chronyd_file is defined and chronyd_file.matched > 0 + tags: + - chronyd_run_as_chrony_user + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Insert correct line into /etc/sysconfig/chronyd ensuring chronyd runs as chrony + user + lineinfile: + path: /etc/sysconfig/chronyd + line: OPTIONS="-u chrony" + state: present + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' + - chronyd_file is defined and chronyd_file.matched == 0 + tags: + - chronyd_run_as_chrony_user + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + Specify Additional Remote NTP Servers + Additional NTP servers can be specified for time synchronization +in the file /etc/ntp.conf. To do so, add additional lines of the +following form, substituting the IP address or hostname of a remote NTP server for +ntpserver: +server ntpserver + CM-6(a) + AU-8(1)(a) + AU-8(2) + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Req-10.4.3 + Specifying additional NTP servers increases the availability of +accurate time data, in the event that one of the specified servers becomes +unavailable. This is typical for a system acting as an NTP server for +other systems. + + + + + + + Specify a Remote NTP Server + Depending on specific functional requirements of a concrete +production environment, the Fedora system can be +configured to utilize the services of the chronyd NTP daemon (the +default), or services of the ntpd NTP daemon. Refer to + + + https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html + +for more detailed comparison of the features of both of the choices, and for +further guidance how to choose between the two NTP daemons. + +To specify a remote NTP server for time synchronization, perform the following: + if the system is configured to use the chronyd as the NTP daemon (the +default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, +edit the file /etc/ntp.conf as documented below. +Add or correct the following lines, substituting the IP or hostname of a remote +NTP server for ntpserver: +server ntpserver +This instructs the NTP software to contact that remote server to obtain time +data. + 3.3.7 + CCI-000160 + CCI-001891 + CM-6(a) + AU-8(1)(a) + AU-8(2) + PR.PT-1 + SRG-OS-000355-VMM-001330 + Req-10.4.1 + Req-10.4.3 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Synchronizing with an NTP server makes it possible to collate system +logs from multiple sources or correlate computer events with real time events. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_multiple_time_servers="" + + + +config_file="/etc/ntp.conf" +/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" + +if ! grep -q ^server "$config_file" ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + + + + + + + + + + Specify Additional Remote NTP Servers + Depending on specific functional requirements of a concrete +production environment, the Fedora system can be +configured to utilize the services of the chronyd NTP daemon (the +default), or services of the ntpd NTP daemon. Refer to + + + https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html + +for more detailed comparison of the features of both of the choices, and for +further guidance how to choose between the two NTP daemons. + +Additional NTP servers can be specified for time synchronization. To do so, +perform the following: + if the system is configured to use the chronyd as the NTP daemon +(the default), edit the file /etc/chrony.conf as follows, if the system is configured to use the ntpd as the NTP daemon, +edit the file /etc/ntp.conf as documented below. +Add additional lines of the following form, substituting the IP address or +hostname of a remote NTP server for ntpserver: +server ntpserver + CM-6(a) + AU-8(1)(a) + AU-8(2) + PR.PT-1 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Req-10.4.3 + 0988 + 1405 + Specifying additional NTP servers increases the availability of +accurate time data, in the event that one of the specified servers becomes +unavailable. This is typical for a system acting as an NTP server for +other systems. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_multiple_time_servers="" + + + +config_file="/etc/ntp.conf" +/usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" + +if ! [ "$(grep -c '^server' "$config_file")" -gt 1 ] ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + + + + + + + Configure server restrictions for ntpd + ntpd is a daemon which implements the Network Time Protocol (NTP). It is designed to +synchronize system clocks across a variety of systems and use a source that is highly +accurate. More information on NTP can be found at + + http://www.ntp.org. +ntp can be configured to be a client and/or a server. +To ensure that ntpd implements correct server restrictions, make sure that the following lines exist in the file /etc/ntpd.conf: +restrict -4 default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery +This recommendation only applies if ntp is in use on the system. + If ntp is in use on the system proper configuration is vital to ensuring time synchronization +is working properly. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then + +#!/bin/bash + +if [ -e "/etc/ntp.conf" ] ; then + LC_ALL=C sed -i "/^\s*restrict -4\s\+/Id" "/etc/ntp.conf" +else + touch "/etc/ntp.conf" +fi +cp "/etc/ntp.conf" "/etc/ntp.conf.bak" +# Insert at the end of the file +printf '%s\n' "restrict -4 default kod nomodify notrap nopeer noquery" >> "/etc/ntp.conf" +# Clean up after ourselves. +rm "/etc/ntp.conf.bak" +if [ -e "/etc/ntp.conf" ] ; then + LC_ALL=C sed -i "/^\s*restrict -6\s\+/Id" "/etc/ntp.conf" +else + touch "/etc/ntp.conf" +fi +cp "/etc/ntp.conf" "/etc/ntp.conf.bak" +# Insert at the end of the file +printf '%s\n' "restrict -6 default kod nomodify notrap nopeer noquery" >> "/etc/ntp.conf" +# Clean up after ourselves. +rm "/etc/ntp.conf.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_configure_restrictions + +- name: configure ipv4 restrictions for ntpd + lineinfile: + path: /etc/ntp.conf + create: true + line: restrict -4 default kod nomodify notrap nopeer noquery + state: present + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"ntp" in ansible_facts.packages' + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_configure_restrictions + +- name: configure ipv6 restrictions for ntpd + lineinfile: + path: /etc/ntp.conf + create: true + line: restrict -6 default kod nomodify notrap nopeer noquery + state: present + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"ntp" in ansible_facts.packages' + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_configure_restrictions + + + + + + + + + + Configure ntpd To Run As ntp User + ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to +synchronize system clocks across a variety of systems and use a source that is highly +accurate. More information on NTP can be found at + + http://www.ntp.org. +ntp can be configured to be a client and/or a server. +To ensure that ntpd is running as ntp user, Add or edit the +OPTIONS variable in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': +OPTIONS="-u ntp:ntp" +This recommendation only applies if ntp is in use on the system. + If ntp is in use on the system proper configuration is vital to ensuring time synchronization +is working properly. Running ntpd under dedicated user accounts limits the attack surface for +potential attacker exploiting security flaws in the daemon or the protocol. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q ntp; }; then + +if grep -q 'OPTIONS=.*' /etc/sysconfig/ntpd; then + # trying to solve cases where the parameter after OPTIONS + #may or may not be enclosed in quotes + sed -i -E 's/^([\s]*OPTIONS=["]?[^"]*)("?)/\1 -u ntp:ntp\2/' /etc/sysconfig/ntpd +else + echo 'OPTIONS="-u ntp:ntp"' >> /etc/sysconfig/ntpd +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_run_as_ntp_user + +- name: detect if file is not empty or missing + find: + path: /etc/sysconfig/ + patterns: ntpd + contains: ^([\s]*OPTIONS=["]?[^"]*)("?) + register: ntpd_file + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"ntp" in ansible_facts.packages' + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_run_as_ntp_user + +- name: replace existing setting or create a new file, rest is handled by different + task + lineinfile: + path: /etc/sysconfig/ntpd + regexp: ^([\s]*OPTIONS=["]?[^"]*)("?) + line: \1 -u ntp:ntp\2 + state: present + create: true + backrefs: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"ntp" in ansible_facts.packages' + - ntpd_file.matched > 0 + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_run_as_ntp_user + +- name: put line into file, assume file was empty + lineinfile: + path: /etc/sysconfig/ntpd + line: OPTIONS="-u ntp:ntp" + state: present + create: true + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"ntp" in ansible_facts.packages' + - ntpd_file.matched == 0 + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - ntpd_run_as_ntp_user + + + + + + + + + + Disable network management of chrony daemon + The cmdport option in /etc/chrony.conf can be set to +0 to stop chrony daemon from listening on the UDP port 323 +for management connections made by chronyc. + FMT_SMF_EXT.1 + SRG-OS-000096-GPOS-00050 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Not exposing the management interface of the chrony daemon on +the network diminishes the attack space. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Include source function library + +replace_or_append /etc/chrony.conf '^cmdport' 0 '' '%s %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + + + + + + + + + + Specify a Remote NTP Server + To specify a remote NTP server for time synchronization, edit +the file /etc/ntp.conf. Add or correct the following lines, +substituting the IP or hostname of a remote NTP server for ntpserver: +server ntpserver +This instructs the NTP software to contact that remote server to obtain time +data. + CM-6(a) + AU-8(1)(a) + PR.PT-1 + Req-10.4.1 + Req-10.4.3 + SR 2.10 + SR 2.11 + SR 2.12 + SR 2.8 + SR 2.9 + 4.3.3.3.9 + 4.3.3.5.8 + 4.3.4.4.7 + 4.4.2.1 + 4.4.2.2 + 4.4.2.4 + APO11.04 + BAI03.05 + DSS05.04 + DSS05.07 + MEA02.01 + A.12.4.1 + A.12.4.2 + A.12.4.3 + A.12.4.4 + A.12.7.1 + 1 + 14 + 15 + 16 + 3 + 5 + 6 + Synchronizing with an NTP server makes it possible +to collate system logs from multiple sources or correlate computer events with +real time events. + + + + + + + + + + Disable chrony daemon from acting as server + The port option in /etc/chrony.conf can be set to +0 to make chrony daemon to never open any listening port +for server operation and to operate strictly in a client-only mode. + FMT_SMF_EXT.1 + SRG-OS-000096-GPOS-00050 + SRG-OS-000095-GPOS-00049 + CCI-000381 + Minimizing the exposure of the server functionality of the chrony +daemon diminishes the attack surface. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# Include source function library + +replace_or_append /etc/chrony.conf '^port' 0 '' '%s %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking + mode: 420 + overwrite: true + path: /etc/chrony.conf + - contents: + source: data:, + mode: 420 + overwrite: true + path: /etc/chrony.d/.mco-keep + + + + + + + + + + A remote time server for Chrony is configured + Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to +synchronize system clocks across a variety of systems and use a source that is highly +accurate. More information on chrony can be found at + + http://chrony.tuxfamily.org/. +Chrony can be configured to be a client and/or a server. +Add or edit server or pool lines to /etc/chrony.conf as appropriate: +server <remote-server> +Multiple servers may be configured. + 0988 + 1405 + BP28(R43) + If chrony is in use on the system proper configuration is vital to ensuring time +synchronization is working properly. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q chrony; }; then + + +var_multiple_time_servers="" + + + +config_file="/etc/chrony.conf" + +if ! grep -q '^[\s]*(?:server|pool)[\s]+[\w]+' "$config_file" ; then + if ! grep -q '#[[:space:]]*server' "$config_file" ; then + for server in $(echo "$var_multiple_time_servers" | tr ',' '\n') ; do + printf '\nserver %s' "$server" >> "$config_file" + done + else + sed -i 's/#[ \t]*server/server/g' "$config_file" + fi +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - chronyd_specify_remote_server + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed +- name: XCCDF Value var_multiple_time_servers # promote to variable + set_fact: + var_multiple_time_servers: !!str + tags: + - always + +- name: Detect if chrony is already configured with pools or servers + find: + path: /etc + patterns: chrony.conf + contains: ^[\s]*(?:server|pool)[\s]+[\w]+ + register: chrony_servers + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' + tags: + - chronyd_specify_remote_server + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Configure remote time servers + lineinfile: + path: /etc/chrony.conf + line: server {{ item }} + state: present + create: true + loop: '{{ var_multiple_time_servers.split(",") }}' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"chrony" in ansible_facts.packages' + - chrony_servers.matched == 0 + tags: + - chronyd_specify_remote_server + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + + + + + + + + + + Avahi Server + The Avahi daemon implements the DNS Service Discovery +and Multicast DNS protocols, which provide service and host +discovery on a network. It allows a system to automatically +identify resources on the network, such as printers or web servers. +This capability is also known as mDNSresponder and is a major part +of Zeroconf networking. + + Configure Avahi if Necessary + If your system requires the Avahi daemon, its configuration can be restricted +to improve security. The Avahi daemon configuration file is +/etc/avahi/avahi-daemon.conf. The following security recommendations +should be applied to this file: +See the avahi-daemon.conf(5) man page, or documentation at + + http://www.avahi.org, for more detailed information +about the configuration options. + + Disable Avahi Publishing + To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf +and ensure the following line appears in the [publish] section: +disable-publishing=yes + CM-7(a) + CM-7(b) + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + PR.IP-1 + PR.PT-3 + This helps ensure that no record will be published by Avahi. + + + + Disable Avahi Server if Possible + Because the Avahi daemon service keeps an open network +port, it is subject to network attacks. +Disabling it can reduce the system's vulnerability to such attacks. + + + + LDAP + LDAP is a popular directory service, that is, a +standardized way of looking up information from a central database. +Fedora includes software that enables a system to act as both +an LDAP client and server. + + Configure OpenLDAP Server + This section details some security-relevant settings +for an OpenLDAP server. + + Install and Protect LDAP Certificate Files + Create the PKI directory for LDAP certificates if it does not already exist: +$ sudo mkdir /etc/pki/tls/ldap +$ sudo chown root:root /etc/pki/tls/ldap +$ sudo chmod 755 /etc/pki/tls/ldap +Using removable media or some other secure transmission format, install the certificate files +onto the LDAP server: +/etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem +Verify the ownership and permissions of these files: +$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem +$ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem +$ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem +$ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem +Verify that the CA's public certificate file has been installed as +/etc/pki/tls/CA/cacert.pem, and has the correct permissions: +$ sudo mkdir /etc/pki/tls/CA +$ sudo chown root:root /etc/pki/tls/CA/cacert.pem +$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem + +As a result of these steps, the LDAP server will have access to its own private +certificate and the key with which that certificate is encrypted, and to the +public certificate file belonging to the CA. Note that it would be possible for +the key to be protected further, so that processes running as ldap could not +read it. If this were done, the LDAP server process would need to be restarted +manually whenever the server rebooted. + + + + Configure OpenLDAP Clients + This section provides information on which security settings are +important to configure in OpenLDAP clients by manually editing the appropriate +configuration files. Fedora provides an automated configuration tool called +authconfig and a graphical wrapper for authconfig called +system-config-authentication. However, these tools do not provide as +much control over configuration as manual editing of configuration files. The +authconfig tools do not allow you to specify locations of SSL certificate +files, which is useful when trying to use SSL cleanly across several protocols. +Installation and configuration of OpenLDAP on Fedora is available at + Before configuring any system to be an +LDAP client, ensure that a working LDAP server is present on the +network. + + Ensure LDAP client is not installed + The Lightweight Directory Access Protocol (LDAP) is a service that provides +a method for looking up information from a central database. +The openldap-clients package can be removed with the following command: + +$ sudo dnf erase openldap-clients + If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface. + +# CAUTION: This remediation script will remove openldap-clients +# from the system, and may remove any packages +# that depend on openldap-clients. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openldap-clients" ; then + dnf remove -y "openldap-clients" +fi + + - name: Ensure openldap-clients is removed + package: + name: openldap-clients + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_openldap-clients_removed + + include remove_openldap-clients + +class remove_openldap-clients { + package { 'openldap-clients': + ensure => 'purged', + } +} + + +package --remove=openldap-clients + + + + + + + + + + + + Print Support + The Common Unix Printing System (CUPS) service provides both local +and network printing support. A system running the CUPS service can accept +print jobs from other systems, process them, and send them to the appropriate +printer. It also provides an interface for remote administration through a web +browser. The CUPS service is installed and activated by default. The project +homepage and more detailed documentation are available at + + http://www.cups.org. + + + Configure the CUPS Service if Necessary + CUPS provides the ability to easily share local printers with +other systems over the network. It does this by allowing systems to share +lists of available printers. Additionally, each system that runs the CUPS +service can potentially act as a print server. Whenever possible, the printer +sharing and print server capabilities of CUPS should be limited or disabled. +The following recommendations should demonstrate how to do just that. + + + + DHCP + The Dynamic Host Configuration Protocol (DHCP) allows +systems to request and obtain an IP address and other configuration +parameters from a server. + +This guide recommends configuring networking on clients by manually editing +the appropriate files under /etc/sysconfig. Use of DHCP can make client +systems vulnerable to compromise by rogue DHCP servers, and should be avoided +unless necessary. If using DHCP is necessary, however, there are best practices +that should be followed to minimize security risk. + + Disable DHCP Server + The DHCP server dhcpd is not installed or activated by +default. If the software was installed and activated, but the +system does not need to act as a DHCP server, it should be disabled +and removed. + + + Disable DHCP Client + DHCP is the default network configuration method provided by the system +installer, and common on many networks. Nevertheless, manual management +of IP addresses for systems implies a greater degree of management and +accountability for network activity. + + + Configure DHCP Client if Necessary + If DHCP must be used, then certain configuration changes can +minimize the amount of information it receives and applies from the network, +and thus the amount of incorrect information a rogue DHCP server could +successfully distribute. For more information on configuring dhclient, see the +dhclient(8) and dhclient.conf(5) man pages. + + Minimize the DHCP-Configured Options + Create the file /etc/dhcp/dhclient.conf, and add an +appropriate setting for each of the ten configuration settings which can be +obtained via DHCP. For each setting, do one of the following: + +If the setting should not be configured remotely by the DHCP server, +select an appropriate static value, and add the line: +supersede setting value; +If the setting should be configured remotely by the DHCP server, add the lines: +request setting; +require setting; +For example, suppose the DHCP server should provide only the IP address itself +and the subnet mask. Then the entire file should look like: +supersede domain-name "example.com"; +supersede domain-name-servers 192.168.1.2; +supersede nis-domain ""; +supersede nis-servers ""; +supersede ntp-servers "ntp.example.com "; +supersede routers 192.168.1.1; +supersede time-offset -18000; +request subnet-mask; +require subnet-mask; + In this example, the options nis-servers and +nis-domain are set to empty strings, on the assumption that the deprecated NIS +protocol is not in use. It is necessary to supersede settings for unused +services so that they cannot be set by a hostile DHCP server. If an option is +set to an empty string, dhclient will typically not attempt to configure the +service. + By default, the DHCP client program, dhclient, requests and applies +ten configuration options (in addition to the IP address) from the DHCP server. +subnet-mask, broadcast-address, time-offset, routers, domain-name, +domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many +of the options requested and applied by dhclient may be the same for every +system on a network. It is recommended that almost all configuration options be +assigned statically, and only options which must vary on a host-by-host basis +be assigned via DHCP. This limits the damage which can be done by a rogue DHCP +server. If appropriate for your site, it is also possible to supersede the +host-name directive in /etc/dhcp/dhclient.conf, establishing a static +hostname for the system. However, dhclient does not use the host name option +provided by the DHCP server (instead using the value provided by a reverse DNS +lookup). + + + + Configure DHCP Server + If the system must act as a DHCP server, the configuration +information it serves should be minimized. Also, support for other protocols +and DNS-updating schemes should be explicitly disabled unless needed. The +configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file +begins with a number of global configuration options. The remainder of the file +is divided into sections, one for each block of addresses offered by dhcpd, +each of which contains configuration options specific to that address +block. + + Minimize Served Information + Edit /etc/dhcp/dhcpd.conf. Examine each address range section within +the file, and ensure that the following options are not defined unless there is +an operational need to provide this information via DHCP: +option domain-name +option domain-name-servers +option nis-domain +option nis-servers +option ntp-servers +option routers +option time-offset + By default, the Red Hat Enterprise Linux client installation uses DHCP +to request much of the above information from the DHCP server. In particular, +domain-name, domain-name-servers, and routers are configured via DHCP. These +settings are typically necessary for proper network functionality, but are also +usually static across systems at a given site. + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + Because the configuration information provided by the DHCP server +could be maliciously provided to clients by a rogue DHCP server, the amount of +information provided via DHCP should be minimized. Remove these definitions +from the DHCP server configuration to ensure that legitimate clients do not +unnecessarily rely on DHCP for this information. + + + + + Obsolete Services + This section discusses a number of network-visible +services which have historically caused problems for system +security, and for which disabling or severely limiting the service +has been the best available guidance for some time. As a result of +this, many of these services are not installed as part of Fedora +by default. + +Organizations which are running these services should +switch to more secure equivalents as soon as possible. +If it remains absolutely necessary to run one of +these services for legacy reasons, care should be taken to restrict +the service as much as possible, for instance by configuring host + +firewall software such as iptables to restrict access to the + +vulnerable service to only those remote hosts which have a known +need to use it. + + Ensure rsyncd service is diabled + +The rsyncd service can be disabled with the following command: +$ sudo systemctl mask --now rsyncd.service + The rsyncd service presents a security risk as it uses unencrypted protocols for +communication. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'rsyncd.service' +"$SYSTEMCTL_EXEC" disable 'rsyncd.service' +"$SYSTEMCTL_EXEC" mask 'rsyncd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^rsyncd.socket'; then + "$SYSTEMCTL_EXEC" stop 'rsyncd.socket' + "$SYSTEMCTL_EXEC" mask 'rsyncd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'rsyncd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service rsyncd + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service rsyncd + systemd: + name: rsyncd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"rsyncd.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_rsyncd_disabled + +- name: Unit Socket Exists - rsyncd.socket + command: systemctl list-unit-files rsyncd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_rsyncd_disabled + +- name: Disable socket rsyncd + systemd: + name: rsyncd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"rsyncd.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_rsyncd_disabled + + include disable_rsyncd + +class disable_rsyncd { + service {'rsyncd': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: rsyncd.service + enabled: false + mask: true + - name: rsyncd.socket + enabled: false + mask: true + + + + + + + + + + Telnet + The telnet protocol does not provide confidentiality or integrity +for information transmitted on the network. This includes authentication +information such as passwords. Organizations which use telnet should be +actively working to migrate to a more secure protocol. + + + TFTP Server + TFTP is a lightweight version of the FTP protocol which has +traditionally been used to configure networking equipment. However, +TFTP provides little security, and modern versions of networking +operating systems frequently support configuration via SSH or other +more secure protocols. A TFTP server should be run only if no more +secure method of supporting existing equipment can be +found. + + TFTP server secure directory + Specify the directory which is used by TFTP server as a root directory when running in secure mode. + /var/lib/tftpboot + + + + Rlogin, Rsh, and Rexec + The Berkeley r-commands are legacy services which +allow cleartext remote access and have an insecure trust +model. + + Remove Rsh Trust Files + The files /etc/hosts.equiv and ~/.rhosts (in +each user's home directory) list remote hosts and users that are trusted by the +local system when using the rshd daemon. +To remove these files, run the following command to delete them from any +location: +$ sudo rm /etc/hosts.equiv +$ rm ~/.rhosts + CCI-001436 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-3 + PR.IP-1 + PR.PT-3 + PR.PT-4 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO13.01 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.05 + DSS06.06 + A.11.2.6 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.2.1 + A.6.2.2 + A.9.1.2 + 11 + 12 + 14 + 15 + 3 + 8 + 9 + This action is only meaningful if .rhosts support is permitted +through PAM. Trust files are convenient, but when used in conjunction with +the R-services, they can allow unauthenticated access to a system. + - block: + + - name: Detect shosts.equiv Files on the System + find: + paths: / + recurse: true + patterns: shosts.equiv + check_mode: false + register: shosts_equiv_locations + + - name: Remove Rsh Trust Files + file: + path: '{{ item.path }}' + state: absent + with_items: '{{ shosts_equiv_locations.files }}' + when: shosts_equiv_locations + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - no_rsh_trust_files + - restrict_strategy + + + + + + + + + + + Xinetd + The xinetd service acts as a dedicated listener for some +network services (mostly, obsolete ones) and can be used to provide access +controls and perform some logging. It has been largely obsoleted by other +features, and it is not installed by default. The older Inetd service +is not even available as part of Fedora. + + + + Chat/Messaging Services + The talk software makes it possible for users to send and receive messages +across systems through a terminal session. + + + NIS + The Network Information Service (NIS), also known as 'Yellow +Pages' (YP), and its successor NIS+ have been made obsolete by +Kerberos, LDAP, and other modern centralized authentication +services. NIS should not be used because it suffers from security +problems inherent in its design, such as inadequate protection of +important authentication information. + + + + DNS Server + Most organizations have an operational need to run at +least one nameserver. However, there are many common attacks +involving DNS server software, and this server software should +be disabled on any system +on which it is not needed. + + Protect DNS Data from Tampering or Attack + This section discusses DNS configuration options which make it +more difficult for attackers to gain access to private DNS data or to modify +DNS data. + + Run Separate DNS Servers for External and Internal Queries + Is it possible to run external and internal nameservers on +separate systems? If so, follow the configuration guidance in this section. On +the external nameserver, edit /etc/named.conf to add or correct the +following directives: +options { + allow-query { any; }; + recursion no; + ... +}; +zone "example.com " IN { + ... +}; +On the internal nameserver, edit /etc/named.conf. Add or correct the +following directives, where SUBNET is the numerical IP representation of your +organization in the form xxx.xxx.xxx.xxx/xx: +acl internal { + SUBNET ; + localhost; +}; +options { + allow-query { internal; }; + ... +}; +zone "internal.example.com " IN { + ... +}; + + + Use Views to Partition External and Internal Information + If it is not possible to run external and internal nameservers on +separate physical systems, run BIND9 and simulate this feature using views. +Edit /etc/named.conf. Add or correct the following directives (where +SUBNET is the numerical IP representation of your organization in the form +xxx.xxx.xxx.xxx/xx): +acl internal { + SUBNET ; + localhost; +}; +view "internal-view" { + match-clients { internal; }; + zone "." IN { + type hint; + file "db.cache"; + }; + zone "internal.example.com " IN { + ... + }; +}; + +view "external-view" { + match-clients { any; }; + recursion no; + zone "example.com " IN { + ... + }; +}; + As shown in the example, database files which are +required for recursion, such as the root hints file, must be available to any +clients which are allowed to make recursive queries. Under typical +circumstances, this includes only the internal clients which are allowed to use +this server as a general-purpose nameserver. + + + + Disable DNS Server + DNS software should be disabled on any systems which does not +need to be a nameserver. Note that the BIND DNS server software is +not installed on Fedora by default. The remainder of this section +discusses secure configuration of systems which must be +nameservers. + + Uninstall bind Package + The named service is provided by the bind package. +The bind package can be removed with the following command: + +$ sudo dnf erase bind + CCI-000366 + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + PR.PT-3 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.05 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.9.1.2 + 11 + 14 + 3 + 9 + If there is no need to make DNS server software available, +removing it provides a safeguard against its activation. + +# CAUTION: This remediation script will remove bind +# from the system, and may remove any packages +# that depend on bind. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "bind" ; then + dnf remove -y "bind" +fi + + - name: Ensure bind is removed + package: + name: bind + state: absent + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_strategy + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - package_bind_removed + + include remove_bind + +class remove_bind { + package { 'bind': + ensure => 'purged', + } +} + + +package --remove=bind + + + + + + + + + + + Isolate DNS from Other Services + This section discusses mechanisms for preventing the DNS server +from interfering with other services. This is done both to protect the +remainder of the network should a nameserver be compromised, and to make direct +attacks on nameservers more difficult. + + Run DNS Software on Dedicated Servers + Since DNS is +a high-risk service which must frequently be made available to the entire +Internet, it is strongly recommended that no other services be offered by +systems which act as organizational DNS servers. + + + Run DNS Software in a chroot Jail + Install the bind-chroot package: +$ sudo yum install bind-chroot +Place a valid named.conf file inside the chroot jail: +$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf +$ sudo chown root:root /var/named/chroot/etc/named.conf +$ sudo chmod 644 /var/named/chroot/etc/named.conf +Create and populate an appropriate zone directory within the jail, based on the +options directive. If your named.conf includes: +options { +directory "/path/to/DIRNAME "; +... +} +then copy that directory and its contents from the original zone directory: +$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME +Add or correct the following line within /etc/sysconfig/named: +ROOTDIR=/var/named/chroot + If you are running BIND in a chroot jail, then you +should use the jailed named.conf as the primary nameserver +configuration file. That is, when this guide recommends editing +/etc/named.conf, you should instead edit +/var/named/chroot/etc/named.conf. + + + + + Hardware RNG Entropy Gatherer Daemon + The rngd feeds random data from hardware device to kernel random device. + + + Enable the Hardware RNG Entropy Gatherer Service + The Hardware RNG Entropy Gatherer service should be enabled. + +The rngd service can be enabled with the following command: +$ sudo systemctl enable rngd.service + FCS_RBG_EXT.1 + SRG-OS-000480-GPOS-00227 + CCI-000366 + The rngd service +feeds random data from hardware device to kernel random device. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'rngd.service' +"$SYSTEMCTL_EXEC" start 'rngd.service' +"$SYSTEMCTL_EXEC" enable 'rngd.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service rngd + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service rngd + service: + name: rngd + enabled: 'yes' + state: started + masked: 'no' + when: + - '"rng-tools" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_rngd_enabled + + include enable_rngd + +class enable_rngd { + service {'rngd': + enable => true, + ensure => 'running', + } +} + + + + + + + + + + + System Security Services Daemon + The System Security Services Daemon (SSSD) is a system daemon that provides access +to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, +openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline +support to systems utilizing SSSD. SSSD using caching to reduce load on authentication +servers permit offline authentication as well as store extended user data. + +For more information, see + + + SSSD memcache_timeout option + Value of the memcache_timeout option in the [nss] section +of SSSD config /etc/sssd/sssd.conf. + 180 + 300 + 600 + 900 + 1800 + 86400 + 300 + + + SSSD ssh_known_hosts_timeout option + Value of the ssh_known_hosts_timeout option in the [ssh] section +of SSSD configuration file /etc/sssd/sssd.conf. + 180 + 300 + 600 + 900 + 1800 + 86400 + 180 + + + Install sssd-ipa Package + The sssd-ipa package can be installed with the following command: + +$ sudo dnf install sssd-ipa + SRG-OS-000480-GPOS-00227 + sssd-ipa provides the IPA back end that the SSSD can utilize to +fetch identity data from and authenticate against an IPA server. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +if ! rpm -q --quiet "sssd-ipa" ; then + dnf install -y "sssd-ipa" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_sssd-ipa_installed + +- name: Ensure sssd-ipa is installed + package: + name: sssd-ipa + state: present + when: '"sssd-common" in ansible_facts.packages' + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_sssd-ipa_installed + + include install_sssd-ipa + +class install_sssd-ipa { + package { 'sssd-ipa': + ensure => 'installed', + } +} + + +package --add=sssd-ipa + + +[[packages]] +name = "sssd-ipa" +version = "*" + + + + + + + + + + Configure SSSD's Memory Cache to Expire + SSSD's memory cache should be configured to set to expire records after + seconds. +To configure SSSD to expire memory cache, set memcache_timeout to + under the +[nss] section in /etc/sssd/sssd.conf. + +For example: +[nss] +memcache_timeout = + + CCI-002007 + CM-6(a) + IA-5(13) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000383-GPOS-00166 + SRG-OS-000383-VMM-001570 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + If cached authentication information is out-of-date, the validity of the +authentication information may be questionable. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + + +var_sssd_memcache_timeout="" + + + +SSSD_CONF="/etc/sssd/sssd.conf" +MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout" +NSS_REGEX="[[:space:]]*\[nss]" + +# Try find [nss] and memcache_timeout in sssd.conf, if it exists, set to +# var_sssd_memcache_timeout, if it isn't here, add it, if [nss] doesn't +# exist, add it there +if grep -qzosP $MEMCACHE_TIMEOUT_REGEX $SSSD_CONF; then + sed -i "s/memcache_timeout[^(\n)]*/memcache_timeout = $var_sssd_memcache_timeout/" $SSSD_CONF +elif grep -qs $NSS_REGEX $SSSD_CONF; then + sed -i "/$NSS_REGEX/a memcache_timeout = $var_sssd_memcache_timeout" $SSSD_CONF +else + mkdir -p /etc/sssd + touch $SSSD_CONF + echo -e "[nss]\nmemcache_timeout = $var_sssd_memcache_timeout" >> $SSSD_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_memcache_timeout + - unknown_strategy +- name: XCCDF Value var_sssd_memcache_timeout # promote to variable + set_fact: + var_sssd_memcache_timeout: !!str + tags: + - always + +- name: Test for domain group + command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: true + changed_when: false + check_mode: false + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_memcache_timeout + - unknown_strategy + +- name: Add default domain group (if no domain there) + ini_file: + path: /etc/sssd/sssd.conf + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + create: true + mode: 384 + with_items: + - section: sssd + option: domains + value: default + - section: domain/default + option: id_provider + value: files + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - test_grep_domain.stdout is defined + - test_grep_domain.stdout | length < 1 + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_memcache_timeout + - unknown_strategy + +- name: Configure SSSD's Memory Cache to Expire + ini_file: + dest: /etc/sssd/sssd.conf + section: nss + option: memcache_timeout + value: '{{ var_sssd_memcache_timeout }}' + create: true + mode: 384 + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_memcache_timeout + - unknown_strategy + + + + + + + + + + + Configure SSSD to Expire SSH Known Hosts + SSSD should be configured to expire keys from known SSH hosts after + seconds. +To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout +to under the +[ssh] section in /etc/sssd/sssd.conf. For example: +[ssh] +ssh_known_hosts_timeout = + + CCI-002007 + CM-6(a) + IA-5(13) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000383-GPOS-00166 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + If cached authentication information is out-of-date, the validity of the +authentication information may be questionable. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + + +var_sssd_ssh_known_hosts_timeout="" + + + +SSSD_CONF="/etc/sssd/sssd.conf" +SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout" +SSH_REGEX="[[:space:]]*\[ssh]" + +# Try find [ssh] and ssh_known_hosts_timeout in sssd.conf, if it exists, set to +# var_sssd_ssh_known_hosts_timeout, if it isn't here, add it, if [ssh] doesn't +# exist, add it there +if grep -qzosP $SSH_KNOWN_HOSTS_TIMEOUT_REGEX $SSSD_CONF; then + sed -i "s/ssh_known_hosts_timeout[^(\n)]*/ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout/" $SSSD_CONF +elif grep -qs $SSH_REGEX $SSSD_CONF; then + sed -i "/$SSH_REGEX/a ssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" $SSSD_CONF +else + mkdir -p /etc/sssd + touch $SSSD_CONF + echo -e "[ssh]\nssh_known_hosts_timeout = $var_sssd_ssh_known_hosts_timeout" >> $SSSD_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_ssh_known_hosts_timeout + - unknown_strategy +- name: XCCDF Value var_sssd_ssh_known_hosts_timeout # promote to variable + set_fact: + var_sssd_ssh_known_hosts_timeout: !!str + tags: + - always + +- name: Test for domain group + command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: true + changed_when: false + check_mode: false + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_ssh_known_hosts_timeout + - unknown_strategy + +- name: Add default domain group (if no domain there) + ini_file: + path: /etc/sssd/sssd.conf + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + create: true + mode: 384 + with_items: + - section: sssd + option: domains + value: default + - section: domain/default + option: id_provider + value: files + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - test_grep_domain.stdout is defined + - test_grep_domain.stdout | length < 1 + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_ssh_known_hosts_timeout + - unknown_strategy + +- name: Configure SSSD to Expire SSH Known Hosts + ini_file: + dest: /etc/sssd/sssd.conf + section: ssh + option: ssh_known_hosts_timeout + value: '{{ var_sssd_ssh_known_hosts_timeout }}' + create: true + mode: 384 + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_ssh_known_hosts_timeout + - unknown_strategy + + + + + + + + + + + Configure SSSD to run as user sssd + SSSD processes should be configured to run as user sssd, not root. + FMT_SMF_EXT.1 + SRG-OS-000480-GPOS-00227 + To minimize privileges of SSSD processes, they are configured to +run as non-root user. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common; then + +found=false +for f in $( ls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2> /dev/null ) ; do + user=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*user\\s*=\\s*(\\S+).*","\\1",1); if($0!=nu){user=nu}} END{print user}' $f ) + if [ -n "$user" ] ; then + if [ "$user" != sssd ] ; then + sed -i 's/^\s*user\s*=.*/user = sssd/' $f + fi + found=true + fi +done + +if ! $found ; then + SSSD_CONF="/etc/sssd/conf.d/ospp.conf" + mkdir -p $( dirname $SSSD_CONF ) + touch $SSSD_CONF + chown root:root $SSSD_CONF + chmod 600 $SSSD_CONF + echo -e "[sssd]\nuser = sssd" >> $SSSD_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + + + + + + + + + Enable Smartcards in SSSD + SSSD should be configured to authenticate access to the system +using smart cards. To enable smart cards in SSSD, set pam_cert_auth +to true under the [pam] +section in /etc/sssd/sssd.conf. For example: +[pam] +pam_cert_auth = true + + CCI-001954 + CCI-000765 + SRG-OS-000375-GPOS-00160 + SRG-OS-000105-GPOS-00052 + SRG-OS-000107-VMM-000530 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + Using an authentication device, such as a CAC or token that is separate from +the information system, ensures that even if the information system is +compromised, that compromise will not affect credentials stored on the +authentication device. + +Multifactor solutions that require devices separate from +information systems gaining access include, for example, hardware tokens +providing time-based or challenge-response authenticators and smart cards such +as the U.S. Government Personal Identity Verification card and the DoD Common +Access Card. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_OPT="pam_cert_auth" +SSSD_OPT_VAL=true +PAM_REGEX="[[:space:]]*\[pam]" +PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" + +if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then + sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF +elif grep -qs $PAM_REGEX $SSSD_CONF; then + sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF +else + mkdir -p /etc/sssd + touch $SSSD_CONF + echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_enable_smartcards + +- name: Test for domain group + command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: true + changed_when: false + check_mode: false + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_enable_smartcards + +- name: Add default domain group (if no domain there) + ini_file: + path: /etc/sssd/sssd.conf + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + create: true + mode: 384 + with_items: + - section: sssd + option: domains + value: default + - section: domain/default + option: id_provider + value: files + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - test_grep_domain.stdout is defined + - test_grep_domain.stdout | length < 1 + tags: + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_enable_smartcards + +- name: Enable Smartcards in SSSD + ini_file: + dest: /etc/sssd/sssd.conf + section: pam + option: pam_cert_auth + value: 'true' + create: true + mode: 384 + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_enable_smartcards + + + + + + + + + + Configure SSSD to Expire Offline Credentials + SSSD should be configured to expire offline credentials after 1 day. +To configure SSSD to expire offline credentials, set +offline_credentials_expiration to 1 under the [pam] +section in /etc/sssd/sssd.conf. For example: +[pam] +offline_credentials_expiration = 1 + + CCI-002007 + CM-6(a) + IA-5(13) + PR.AC-1 + PR.AC-6 + PR.AC-7 + SRG-OS-000383-GPOS-00166 + SRG-OS-000383-VMM-001570 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.18.1.4 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + If cached authentication information is out-of-date, the validity of the +authentication information may be questionable. + + # Remediation is applicable only in certain platforms +if rpm --quiet -q sssd-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then + +SSSD_CONF="/etc/sssd/sssd.conf" +SSSD_OPT="offline_credentials_expiration" +SSSD_OPT_VAL=1 +PAM_REGEX="[[:space:]]*\[pam]" +PAM_OPT_REGEX="${PAM_REGEX}([^\n\[]*\n+)+?[[:space:]]*${SSSD_OPT}" + +# Try find [pam] and offline_credentials_expiration in sssd.conf, if it exists +# set it to 1, if it doesn't exist add it, if [pam] section doesn't exist add +# the section and the configuration option. +if grep -qzosP $PAM_OPT_REGEX $SSSD_CONF; then + sed -i "s/${SSSD_OPT}[^(\n)]*/${SSSD_OPT} = ${SSSD_OPT_VAL}/" $SSSD_CONF +elif grep -qs $PAM_REGEX $SSSD_CONF; then + sed -i "/$PAM_REGEX/a ${SSSD_OPT} = ${SSSD_OPT_VAL}" $SSSD_CONF +else + mkdir -p /etc/sssd + touch $SSSD_CONF + echo -e "[pam]\n${SSSD_OPT} = ${SSSD_OPT_VAL}" >> $SSSD_CONF +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Gather the package facts + package_facts: + manager: auto + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_offline_cred_expiration + +- name: Test for domain group + command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf + register: test_grep_domain + ignore_errors: true + changed_when: false + check_mode: false + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_offline_cred_expiration + +- name: Add default domain group (if no domain there) + ini_file: + path: /etc/sssd/sssd.conf + section: '{{ item.section }}' + option: '{{ item.option }}' + value: '{{ item.value }}' + create: true + mode: 384 + with_items: + - section: sssd + option: domains + value: default + - section: domain/default + option: id_provider + value: files + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - test_grep_domain.stdout is defined + - test_grep_domain.stdout | length < 1 + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_offline_cred_expiration + +- name: Configure SSD to Expire Offline Credentials + ini_file: + dest: /etc/sssd/sssd.conf + section: pam + option: offline_credentials_expiration + value: 1 + create: true + mode: 384 + when: + - '"sssd-common" in ansible_facts.packages' + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(13) + - configure_strategy + - low_complexity + - medium_disruption + - medium_severity + - no_reboot_needed + - sssd_offline_cred_expiration + + + + + + + + + + System Security Services Daemon (SSSD) - LDAP + The System Security Services Daemon (SSSD) is a system daemon that provides access +to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, +openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline +support to systems utilizing SSSD. SSSD using caching to reduce load on authentication +servers permit offline authentication as well as store extended user data. + +SSSD can support many backends including LDAP. The sssd-ldap backend +allows SSSD to fetch identity information from an LDAP server. + + + SSSD LDAP Backend Client CA Certificate Location + Path of a directory that contains Certificate Authority certificates. + /etc/openldap/cacerts + + + + + USBGuard daemon + The USBGuard daemon enforces the USB device authorization policy for all USB devices. + + + Install usbguard Package + +The usbguard package can be installed with the following command: + +$ sudo dnf install usbguard + SRG-OS-000378-GPOS-00163 + 1418 + CCI-001958 + usbguard is a software framework that helps to protect +against rogue USB devices by implementing basic whitelisting/blacklisting +capabilities based on USB device attributes. + + +if ! rpm -q --quiet "usbguard" ; then + dnf install -y "usbguard" +fi + + - name: Ensure usbguard is installed + package: + name: usbguard + state: present + tags: + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_usbguard_installed + + include install_usbguard + +class install_usbguard { + package { 'usbguard': + ensure => 'installed', + } +} + + +package --add=usbguard + + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + extensions: + - usbguard + + +[[packages]] +name = "usbguard" +version = "*" + + + + + + + + + + Enable the USBGuard Service + The USBGuard service should be enabled. + +The usbguard service can be enabled with the following command: +$ sudo systemctl enable usbguard.service + FMT_SMF_EXT.1 + SRG-OS-000378-GPOS-00163 + 1418 + CCI-000416 + CCI-001958 + CM-8(3)(a) + IA-3 + The usbguard service must be running in order to +enforce the USB device authorization policy for all USB devices. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" unmask 'usbguard.service' +"$SYSTEMCTL_EXEC" start 'usbguard.service' +"$SYSTEMCTL_EXEC" enable 'usbguard.service' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable service usbguard + block: + + - name: Gather the package facts + package_facts: + manager: auto + + - name: Enable service usbguard + service: + name: usbguard + enabled: 'yes' + state: started + masked: 'no' + when: + - '"usbguard" in ansible_facts.packages' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-8(3)(a) + - NIST-800-53-IA-3 + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - service_usbguard_enabled + + include enable_usbguard + +class enable_usbguard { + service {'usbguard': + enable => true, + ensure => 'running', + } +} + + --- +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: usbguard.service + enabled: true + + + + + + + + + + Log USBGuard daemon audit events using Linux Audit + To configure USBGuard daemon to log via Linux Audit +(as opposed directly to a file), +AuditBackend option in /etc/usbguard/usbguard-daemon.conf +needs to be set to LinuxAudit. + FMT_SMF_EXT.1 + SRG-OS-000062-GPOS-00031 + CCI-000169 + Using the Linux Audit logging allows for centralized trace +of events. + + if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then + LC_ALL=C sed -i "/^\s*AuditBackend=/d" "/etc/usbguard/usbguard-daemon.conf" +else + touch "/etc/usbguard/usbguard-daemon.conf" +fi +cp "/etc/usbguard/usbguard-daemon.conf" "/etc/usbguard/usbguard-daemon.conf.bak" +# Insert at the end of the file +printf '%s\n' "AuditBackend=LinuxAudit" >> "/etc/usbguard/usbguard-daemon.conf" +# Clean up after ourselves. +rm "/etc/usbguard/usbguard-daemon.conf.bak" + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse + mode: 0600 + path: /etc/usbguard/usbguard-daemon.conf + overwrite: true + + + + + + + + + + Authorize Human Interface Devices and USB hubs in USBGuard daemon + To allow authorization of USB devices combining human interface device and hub capabilities +by USBGuard daemon, +add the line +allow with-interface match-all { 03:*:* 09:00:* } +to /etc/usbguard/rules.conf. + This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind. + FMT_SMF_EXT.1 + SRG-OS-000114-GPOS-00059 + Without allowing Human Interface Devices, it might not be possible +to interact with the system. Without allowing hubs, it might not be possible to use any +USB devices on the system. + + #!/bin/bash + + +echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + annotations: + complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D + mode: 0600 + path: /etc/usbguard/rules.d/75-hid-and-hub.conf + overwrite: true + + + + + + + + + + Authorize Human Interface Devices in USBGuard daemon + To allow authorization of Human Interface Devices (keyboard, mouse) +by USBGuard daemon, +add the line +allow with-interface match-all { 03:*:* } +to /etc/usbguard/rules.conf. + This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices are allowed. This assumes that an administrator modified the file with some purpose in mind. + FMT_SMF_EXT.1 + SRG-OS-000114-GPOS-00059 + Without allowing Human Interface Devices, it might not be possible +to interact with the system. + + +# path of file with Usbguard rules +rulesfile="/etc/usbguard/rules.conf" + +echo "allow with-interface match-all { 03:*:* }" >> $rulesfile + + + + + + + + + + Authorize USB hubs in USBGuard daemon + To allow authorization of USB hub devices by USBGuard daemon, +add line +allow with-interface match-all { 09:00:* } +to /etc/usbguard/rules.conf. + This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB hub devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB hub devices are allowed. This assumes that an administrator modified the file with some purpose in mind. + FMT_SMF_EXT.1 + SRG-OS-000114-GPOS-00059 + Without allowing hubs, it might not be possible to use any +USB devices on the system. + + + +echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf + + + + + + + + + + + SSH Server + The SSH protocol is recommended for remote login and +remote file transfer. SSH provides confidentiality and integrity +for data exchanged between two systems, as well as server +authentication, through the use of public key cryptography. The +implementation included with the system is called OpenSSH, and more +detailed documentation is available from its website, + + https://www.openssh.com. +Its server program is called sshd and provided by the RPM package +openssh-server. + + + SSH enabled firewalld zone + Specify firewalld zone to enable SSH service. This value is used only for remediation purposes. + block + public + dmz + drop + external + home + internal + public + trusted + work + + + SSH Approved ciphers by FIPS + Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server. + aes128-ctr,aes192-ctr,aes256-ctr + aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se + + + SSH Approved MACs by FIPS + Specify the FIPS approved MACs (message authentication code) algorithms + that are used for data integrity protection by the SSH server. + hmac-sha2-512,hmac-sha2-256 + hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com + + + SSH session Idle time + Specify duration of allowed idle time. + 600 + 7200 + 840 + 900 + 1800 + 300 + 3600 + 300 + + + SSH Server Listening Port + Specify port the SSH server is listening. + 22 + + + SSH Max authentication attempts + Specify the maximum number of authentication attempts per connection. + 10 + 3 + 4 + 5 + 4 + + + SSH is required to be installed + Specify if the Policy requires SSH to be installed. Used by SSH Rules +to determine if SSH should be uninstalled or configured. +A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass. +A value of 1 indicates that OpenSSH server package is not required by the policy; +A value of 2 indicates that OpenSSH server package is required by the policy. + 0 + 1 + 2 + + + SSH Max Sessions Count + Specify the maximum number of open sessions permitted. + 10 + 4 + 3 + 2 + 1 + 0 + 10 + + + SSH Max Keep Alive Count + Specify the maximum number of idle message counts before session is terminated. + 10 + 3 + 5 + 0 + 1 + 0 + + + Install the OpenSSH Server Package + The openssh-server package should be installed. +The openssh-server package can be installed with the following command: + +$ sudo dnf install openssh-server + CCI-002418 + CCI-002420 + CCI-002421 + CCI-002422 + CM-6(a) + PR.DS-2 + PR.DS-5 + SRG-OS-000423-GPOS-00187 + SRG-OS-000424-GPOS-00188 + SRG-OS-000425-GPOS-00189 + SRG-OS-000426-GPOS-00190 + SR 3.1 + SR 3.8 + SR 4.1 + SR 4.2 + SR 5.2 + APO01.06 + DSS05.02 + DSS05.04 + DSS05.07 + DSS06.02 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 13 + 14 + FIA_UAU.5 + FTP_ITC_EXT.1 + Without protection of the transmitted information, confidentiality, and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if ! rpm -q --quiet "openssh-server" ; then + dnf install -y "openssh-server" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure openssh-server is installed + package: + name: openssh-server + state: present + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(a) + - enable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_openssh-server_installed + + include install_openssh-server + +class install_openssh-server { + package { 'openssh-server': + ensure => 'installed', + } +} + + +package --add=openssh-server + + +[[packages]] +name = "openssh-server" +version = "*" + + + + + + + + + + Remove the OpenSSH Server Package + The openssh-server package should be removed. +The openssh-server package can be removed with the following command: + +$ sudo dnf erase openssh-server + Without protection of the transmitted information, confidentiality, and +integrity may be compromised because unprotected communications can be +intercepted and either read or altered. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +# CAUTION: This remediation script will remove openssh-server +# from the system, and may remove any packages +# that depend on openssh-server. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "openssh-server" ; then + dnf remove -y "openssh-server" +fi + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Ensure openssh-server is removed + package: + name: openssh-server + state: absent + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_openssh-server_removed + + include remove_openssh-server + +class remove_openssh-server { + package { 'openssh-server': + ensure => 'purged', + } +} + + +package --remove=openssh-server + + + + + + + + + + Disable SSH Server If Possible (Unusual) + The SSH server service, sshd, is commonly needed. +However, if it can be disabled, do so. + + +The sshd service can be disabled with the following command: +$ sudo systemctl mask --now sshd.service + +This is unusual, as SSH is a common method for encrypted and authenticated +remote access. + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +SYSTEMCTL_EXEC='/usr/bin/systemctl' +"$SYSTEMCTL_EXEC" stop 'sshd.service' +"$SYSTEMCTL_EXEC" disable 'sshd.service' +"$SYSTEMCTL_EXEC" mask 'sshd.service' +# Disable socket activation if we have a unit file for it +if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^sshd.socket'; then + "$SYSTEMCTL_EXEC" stop 'sshd.socket' + "$SYSTEMCTL_EXEC" mask 'sshd.socket' +fi +# The service may not be running because it has been started and failed, +# so let's reset the state so OVAL checks pass. +# Service should be 'inactive', not 'failed' after reboot though. +"$SYSTEMCTL_EXEC" reset-failed 'sshd.service' || true + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable service sshd + block: + + - name: Gather the service facts + service_facts: null + + - name: Disable service sshd + systemd: + name: sshd.service + enabled: 'no' + state: stopped + masked: 'yes' + when: '"sshd.service" in ansible_facts.services' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_sshd_disabled + - unknown_severity + +- name: Unit Socket Exists - sshd.socket + command: systemctl list-unit-files sshd.socket + args: + warn: false + register: socket_file_exists + changed_when: false + ignore_errors: true + check_mode: false + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_sshd_disabled + - unknown_severity + +- name: Disable socket sshd + systemd: + name: sshd.socket + enabled: 'no' + state: stopped + masked: 'yes' + when: + - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + - '"sshd.socket" in socket_file_exists.stdout_lines[1]' + tags: + - disable_strategy + - low_complexity + - low_disruption + - no_reboot_needed + - service_sshd_disabled + - unknown_severity + + include disable_sshd + +class disable_sshd { + service {'sshd': + enable => false, + ensure => 'stopped', + } +} + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: sshd.service + enabled: false + mask: true + - name: sshd.socket + enabled: false + mask: true + + + + + + + Verify Permissions on SSH Server Public *.pub Key Files + To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub + 3.1.13 + 3.13.10 + CCI-000366 + AC-17(a) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + If a public host key file is modified by an unauthorized user, the SSH service +may be compromised. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +readarray -t files < <(find /etc/ssh/) +for file in "${files[@]}"; do + if basename $file | grep -q '^.*.pub$'; then + chmod 0644 $file + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Find /etc/ssh/ file(s) + find: + paths: /etc/ssh/ + patterns: ^.*.pub$ + use_regex: true + register: files_found + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_sshd_pub_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for /etc/ssh/ file(s) + file: + path: '{{ item.path }}' + mode: '0644' + with_items: + - '{{ files_found.files }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_sshd_pub_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + include ssh_public_key_perms + +class ssh_public_key_perms { + exec { 'sshd_pub_key': + command => "chmod 0644 /etc/ssh/*.pub", + path => '/bin:/usr/bin' + } +} + + + + + + + + + + Remove SSH Server iptables Firewall exception (Unusual) + By default, inbound connections to SSH's port are allowed. If the SSH +server is not being used, this exception should be removed from the +firewall configuration. + +Edit the files /etc/sysconfig/iptables and +/etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate +and delete the line: +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +This is unusual, as SSH is a common method for encrypted and authenticated +remote access. + If inbound SSH connections are not expected, disallowing access to the SSH +port will avoid possible exploitation of the port by an attacker. + + + + Verify Permissions on SSH Server Private *_key Key Files + + +To properly set the permissions of /etc/ssh/*_key, run the command: +$ sudo chmod 0640 /etc/ssh/*_key + 3.1.13 + 3.13.10 + CCI-000366 + AC-17(a) + CM-6(a) + AC-6(1) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R36) + If an unauthorized user obtains the private SSH host key file, the host could be +impersonated. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +readarray -t files < <(find /etc/ssh/) +for file in "${files[@]}"; do + if basename $file | grep -q '^.*_key$'; then + chmod 0640 $file + fi +done + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Find /etc/ssh/ file(s) + find: + paths: /etc/ssh/ + patterns: ^.*_key$ + use_regex: true + register: files_found + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + +- name: Set permissions for /etc/ssh/ file(s) + file: + path: '{{ item.path }}' + mode: '0640' + with_items: + - '{{ files_found.files }}' + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-171-3.13.10 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(1) + - NIST-800-53-CM-6(a) + - configure_strategy + - file_permissions_sshd_private_key + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + + include ssh_private_key_perms + +class ssh_private_key_perms { + exec { 'sshd_priv_key': + command => "chmod 0640 /etc/ssh/*_key", + path => '/bin:/usr/bin' + } +} + + + + + + + + + + Configure OpenSSH Client if Necessary + The following configuration changes apply to the SSH client. They can +improve security parameters relwevant to the client user, e.g. increasing +entropy while generating initialization vectors. Note that these changes +influence only the default SSH client configuration. Changes in this group +can be overridden by the client user by modifying files within the +~/.ssh directory or by supplying parameters on the command line. + + + + Configure OpenSSH Server if Necessary + If the system needs to act as an SSH server, then +certain changes should be made to the OpenSSH daemon configuration +file /etc/ssh/sshd_config. The following recommendations can be +applied to this file. See the sshd_config(5) man page for more +detailed information. + + + SSH RekeyLimit - size + Specify the size component of the rekey limit. + default + 512M + 512M + 1G + + + SSH RekeyLimit - size + Specify the size component of the rekey limit. + none + 1h + 1h + + + SSH Compression Setting + Specify the compression setting for SSH connections. + no + delayed + no + + + SSH Privilege Separation Setting + Specify whether and how sshd separates privileges when handling incoming network connections. + no + yes + sandbox + sandbox + + + Force frequent session key renegotiation + The RekeyLimit parameter specifies how often +the session key of the is renegotiated, both in terms of +amount of data that may be transmitted and the time +elapsed. To decrease the default limits, put line +RekeyLimit to file /etc/ssh/sshd_config. + FCS_SSHS_EXT.1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000033-GPOS-00014 + CCI-000068 + By decreasing the limit based on the amount of data and enabling +time-based limit, effects of potential attacks against +encryption keys are limited. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_rekey_limit_size="" + +var_rekey_limit_time="" + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*RekeyLimit\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "RekeyLimit $var_rekey_limit_size $var_rekey_limit_time" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_rekey_limit_size # promote to variable + set_fact: + var_rekey_limit_size: !!str + tags: + - always +- name: XCCDF Value var_rekey_limit_time # promote to variable + set_fact: + var_rekey_limit_time: !!str + tags: + - always + +- name: Force frequent session key renegotiation + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*RekeyLimit\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*RekeyLimit\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*RekeyLimit\s+ + line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - sshd_rekey_limit + + + + + + + + + + + + + Disable GSSAPI Authentication + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or +correct the following line in the /etc/ssh/sshd_config file: +GSSAPIAuthentication no + 3.1.12 + CCI-000318 + CCI-000368 + CCI-001812 + CCI-001813 + CCI-001814 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + CM-7(a) + CM-7(b) + CM-6(a) + AC-17(a) + PR.IP-1 + FTP_ITC_EXT.1 + SRG-OS-000364-GPOS-00151 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + 0418 + 1055 + 1402 + GSSAPI authentication is used to provide additional authentication mechanisms to +applications. Allowing GSSAPI authentication through SSH exposes the system's +GSSAPI to remote hosts, increasing the attack surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "GSSAPIAuthentication no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable GSSAPI Authentication + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*GSSAPIAuthentication\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*GSSAPIAuthentication\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*GSSAPIAuthentication\s+ + line: GSSAPIAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_gssapi_auth + + + + + + + + + + + Enable SSH Print Last Log + When enabled, SSH will display the date and time of the last +successful account logon. To enable LastLog in +SSH, add or correct the following line in the /etc/ssh/sshd_config file: +PrintLastLog yes + CCI-000366 + AC-9 + AC-17(a) + CM-6(a) + PR.AC-7 + SRG-OS-000480-GPOS-00227 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + Providing users feedback on when account accesses last occurred facilitates user +recognition and reporting of unauthorized account use. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "PrintLastLog yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable SSH Print Last Log + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PrintLastLog\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PrintLastLog\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*PrintLastLog\s+ + line: PrintLastLog yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-9 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_print_last_log + + + + + + + + + + + Set SSH Idle Timeout Interval + SSH allows administrators to set an idle timeout interval. After this interval +has passed, the idle user will be automatically logged out. + +To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as +follows: +ClientAliveInterval + +The timeout interval is given in seconds. For example, have a timeout +of 10 minutes, set interval to 600. + +If a shorter timeout has already been set for the login shell, that value will +preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that +some processes may stop SSH from correctly detecting that the user is idle. + SSH disconnecting idle clients will not have desired effect without also +configuring ClientAliveCountMax in the SSH service configuration. + Following conditions may prevent the SSH session to time out: +Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.Any scp or sftp activity by the same user to the host resets the timeout. + 5.5.6 + 3.1.11 + CCI-000879 + CCI-001133 + CCI-002361 + CM-6(a) + AC-17(a) + AC-2(5) + AC-12 + AC-17(a) + SC-10 + CM-6(a) + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.IP-2 + Req-8.1.8 + SRG-OS-000126-GPOS-00066 + SRG-OS-000163-GPOS-00072 + SRG-OS-000279-GPOS-00109 + SRG-OS-000395-GPOS-00175 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.3 + APO13.01 + BAI03.01 + BAI03.02 + BAI03.03 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.12.4.1 + A.12.4.3 + A.14.1.1 + A.14.2.1 + A.14.2.5 + A.18.1.4 + A.6.1.2 + A.6.1.5 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + BP28(R29) + Terminating an idle ssh session within a short time period reduces the window of +opportunity for unauthorized personnel to take control of a management session +enabled on the console or console port that has been let unattended. + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sshd_idle_timeout_value="" + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*ClientAliveInterval\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "ClientAliveInterval $sshd_idle_timeout_value" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sshd_idle_timeout_value # promote to variable + set_fact: + sshd_idle_timeout_value: !!str + tags: + - always + +- name: Set SSH Idle Timeout Interval + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveInterval\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveInterval\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*ClientAliveInterval\s+ + line: ClientAliveInterval {{ sshd_idle_timeout_value }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_idle_timeout + + + + + + + + + + + + + Set SSH Daemon LogLevel to VERBOSE + The VERBOSE parameter configures the SSH daemon to record login and logout activity. +To specify the log level in +SSH, add or correct the following line in the /etc/ssh/sshd_config file: +LogLevel VERBOSE + SRG-OS-000032-GPOS-00013 + CCI-000067 + AC-17(a) + AC-17(1) + CM-6(a) + SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically +not recommended other than strictly for debugging SSH communications since it provides +so much data that it is difficult to identify important security information. INFO or +VERBOSE level is the basic level that only records login activity of SSH users. In many +situations, such as Incident Response, it is important to determine when a particular user was active +on a system. The logout record can eliminate those users who disconnected, which helps narrow the +field. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "LogLevel VERBOSE" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set SSH Daemon LogLevel to VERBOSE + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*LogLevel\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*LogLevel\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*LogLevel\s+ + line: LogLevel VERBOSE + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-17(1) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_loglevel_verbose + + + + + + + + + + + Enable GSSAPI Authentication + Sites setup to use Kerberos or other GSSAPI Authenticaion require setting +sshd to accept this authentication. +To enable GSSAPI authentication, add or correct the following line in the +/etc/ssh/sshd_config file: +GSSAPIAuthentication yes + Kerberos authentication for SSH is often implemented using GSSAPI. If +Kerberos is enabled through SSH, the SSH daemon provides a means of access +to the system's Kerberos implementation. Vulnerabilities in the system's +Kerberos implementations may be subject to exploitation. + +For enterprises, Kerberos is often enabled and used with GSSAPI for +centralized user account management which may necessitate enabling of +GSSAPI functionality in SSH. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "GSSAPIAuthentication yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable GSSAPI Authentication + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*GSSAPIAuthentication\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*GSSAPIAuthentication\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*GSSAPIAuthentication\s+ + line: GSSAPIAuthentication yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_gssapi_auth + + + + + + + + + + + Set SSH authentication attempt limit + The MaxAuthTries parameter specifies the maximum number of authentication attempts +permitted per connection. Once the number of failures reaches half this value, additional failures are logged. +to set MaxAUthTries edit /etc/ssh/sshd_config as follows: +MaxAuthTries + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + Setting the MaxAuthTries parameter to a low number will minimize the risk of successful +brute force attacks to the SSH server. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +sshd_max_auth_tries_value="" + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value sshd_max_auth_tries_value # promote to variable + set_fact: + sshd_max_auth_tries_value: !!str + tags: + - always + +- name: Set SSH authentication attempt limit + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*MaxAuthTries\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*MaxAuthTries\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*MaxAuthTries\s+ + line: MaxAuthTries {{ sshd_max_auth_tries_value }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_max_auth_tries + + + + + + + + + + + Set LogLevel to INFO + The INFO parameter specifices that record login and logout activity will be logged. +To specify the log level in +SSH, add or correct the following line in the /etc/ssh/sshd_config file: +LogLevel INFO + AC-17(a) + CM-6(a) + SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically +not recommended other than strictly for debugging SSH communications since it provides +so much data that it is difficult to identify important security information. INFO level is the +basic level that only records login activity of SSH users. In many situations, such as Incident +Response, it is important to determine when a particular user was active on a system. The +logout record can eliminate those users who disconnected, which helps narrow the field. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "LogLevel INFO" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set LogLevel to INFO + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*LogLevel\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*LogLevel\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*LogLevel\s+ + line: LogLevel INFO + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - low_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_loglevel_info + + + + + + + + + + + Disable X11 Forwarding + The X11Forwarding parameter provides the ability to tunnel X11 traffic +through the connection to enable remote graphic connections. +SSH has the capability to encrypt remote X11 connections when SSH's +X11Forwarding option is enabled. + +To disable X11 Forwarding, add or correct the +following line in /etc/ssh/sshd_config: +X11Forwarding no + SRG-OS-000480-GPOS-00227 + CCI-000366 + CM-6(b) + Disable X11 forwarding unless there is an operational requirement to use X11 +applications directly. There is a small risk that the remote X11 servers of +users who are logged in via SSH with X11 forwarding could be compromised by +other users on the X11 server. Note that even if X11 forwarding is disabled, +users can always install their own forwarders. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "X11Forwarding no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable X11 Forwarding + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*X11Forwarding\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*X11Forwarding\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*X11Forwarding\s+ + line: X11Forwarding no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_x11_forwarding + + + + + + + + + + + Disable SSH root Login with a Password (Insecure) + To disable password-based root logins over SSH, add or correct the following +line in /etc/ssh/sshd_config: +PermitRootLogin prohibit-password + While this disables password-based root logins, direct root logins +through other means such as through SSH keys or GSSAPI will still be +permitted. Permitting any sort of root login remotely opens up the +root account to attack. +To fully disable direct root logins over SSH (which is considered a +best practice) and prevent remote attacks against the root account, +see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar. + Even though the communications channel may be encrypted, an additional +layer of security is gained by preventing use of a password. +This also helps to minimize direct attack attempts on root's password. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "PermitRootLogin prohibit-password" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH root Login with a Password (Insecure) + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitRootLogin\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitRootLogin\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*PermitRootLogin\s+ + line: PermitRootLogin prohibit-password + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_root_password_login + + + + + + + + + + + Disable SSH Root Login + The root user should never be allowed to login to a +system directly over a network. +To disable root login via SSH, add or correct the following line +in /etc/ssh/sshd_config: +PermitRootLogin no + 5.5.6 + 3.1.1 + 3.1.5 + CCI-000366 + CCI-000770 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-6(2) + AC-17(a) + IA-2 + IA-2(5) + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.DS-5 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000109-GPOS-00056 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 5.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + APO01.06 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.02 + DSS06.03 + DSS06.06 + DSS06.10 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.18.1.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + BP28(R19) + NT007(R21) + Even though the communications channel may be encrypted, an additional layer of +security is gained by extending the policy of not logging directly on as root. +In addition, logging in with a user-specific account provides individual +accountability of actions performed on the system and also helps to minimize +direct attack attempts on root's password. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "PermitRootLogin no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH Root Login + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitRootLogin\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitRootLogin\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*PermitRootLogin\s+ + line: PermitRootLogin no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53- + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6(2) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - NIST-800-53-IA-2 + - NIST-800-53-IA-2(5) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_root_login + + + + + + + + + + + Limit Users' SSH Access + By default, the SSH configuration allows any user with an account +to access the system. In order to specify the users that are allowed to login +via SSH and deny all other users, add or correct the following line in the +/etc/ssh/sshd_config file: +AllowUsers USER1 USER2 +Where USER1 and USER2 are valid user names. + 3.1.12 + AC-3 + CM-6(a) + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + PR.AC-4 + PR.AC-6 + PR.PT-3 + Specifying which accounts are allowed SSH access into the system reduces the +possibility of unauthorized access to the system. + + + + + + + Disable SSH TCP Forwarding + The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted. +To disable TCP forwarding, add or correct the +following line in /etc/ssh/sshd_config: +AllowTcpForwarding no + Leaving port forwarding enabled can expose the organization to security risks and back-doors. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*AllowTcpForwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "AllowTcpForwarding no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH TCP Forwarding + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*AllowTcpForwarding\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*AllowTcpForwarding\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*AllowTcpForwarding\s+ + line: AllowTcpForwarding no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_tcp_forwarding + + + + + + + + + + + Disable Host-Based Authentication + SSH's cryptographic host-based authentication is +more secure than .rhosts authentication. However, it is +not recommended that hosts unilaterally trust one another, even +within an organization. + +To disable host-based authentication, add or correct the +following line in /etc/ssh/sshd_config: +HostbasedAuthentication no + 5.5.6 + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-3 + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.IP-1 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000480-GPOS-00229 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + 9 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + SSH trust relationships mean a compromise on one host +can allow an attacker to move trivially to other hosts. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "HostbasedAuthentication no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable Host-Based Authentication + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*HostbasedAuthentication\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*HostbasedAuthentication\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*HostbasedAuthentication\s+ + line: HostbasedAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-3 + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - disable_host_auth + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + + apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +spec: + config: + ignition: + version: 3.1.0 + storage: + files: + - contents: + source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox + mode: 0600 + path: /etc/ssh/sshd_config + overwrite: true + + + + + + + + + + + Allow Only SSH Protocol 2 + Only SSH protocol version 2 connections should be +permitted. The default setting in +/etc/ssh/sshd_config is correct, and can be +verified by ensuring that the following +line appears: +Protocol 2 + As of openssh-server version 7.4 and above, the only protocol +supported is version 2, and line Protocol 2 in +/etc/ssh/sshd_config is not necessary. + NT007(R1) + 5.5.6 + 3.1.13 + 3.5.4 + CCI-000197 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + CM-6(a) + AC-17(a) + AC-17(2) + IA-5(1)(c) + SC-13 + MA-4(6) + PR.AC-1 + PR.AC-3 + PR.AC-6 + PR.AC-7 + PR.PT-4 + SRG-OS-000074-GPOS-00042 + SRG-OS-000480-GPOS-00227 + SRG-OS-000033-VMM-000140 + SR 1.1 + SR 1.10 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.6 + SR 3.1 + SR 3.5 + SR 3.8 + SR 4.1 + SR 4.3 + SR 5.1 + SR 5.2 + SR 5.3 + SR 7.1 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.4 + APO13.01 + DSS01.04 + DSS05.02 + DSS05.03 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.11.2.6 + A.13.1.1 + A.13.2.1 + A.14.1.3 + A.18.1.4 + A.6.2.1 + A.6.2.2 + A.7.1.1 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + 5 + 8 + 0487 + 1449 + 1506 + SSH protocol version 1 is an insecure implementation of the SSH protocol and +has many well-known vulnerability exploits. Exploits of the SSH daemon could provide +immediate root access to the system. + + - name: Allow Only SSH Protocol 2 + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Protocol\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Protocol\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*Protocol\s+ + line: Protocol 2 + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.13 + - NIST-800-171-3.5.4 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-IA-5(1)(c) + - NIST-800-53-MA-4(6) + - NIST-800-53-SC-13 + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sshd_allow_only_protocol2 + + + + + + + + + + + Enable SSH Warning Banner + To enable the warning banner and ensure it is consistent +across the system, add or correct the following line in /etc/ssh/sshd_config: +Banner /etc/issue +Another section contains information on how to create an +appropriate system-wide warning banner. + 5.5.6 + 3.1.9 + CCI-000048 + CCI-000050 + CCI-001384 + CCI-001385 + CCI-001386 + CCI-001387 + CCI-001388 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-8(a) + AC-8(c) + AC-17(a) + CM-6(a) + PR.AC-7 + FTA_TAB.1 + SRG-OS-000023-GPOS-00006 + SRG-OS-000024-GPOS-00007 + SRG-OS-000228-GPOS-00088 + SRG-OS-000023-VMM-000060 + SRG-OS-000024-VMM-000070 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + DSS05.04 + DSS05.10 + DSS06.10 + A.18.1.4 + A.9.2.1 + A.9.2.4 + A.9.3.1 + A.9.4.2 + A.9.4.3 + 1 + 12 + 15 + 16 + The warning message reinforces policy awareness during the logon process and +facilitates possible legal action against attackers. Alternatively, systems +whose ownership should not be obvious should ensure usage of a banner that does +not provide easy attribution. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "Banner /etc/issue" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable SSH Warning Banner + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Banner\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Banner\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*Banner\s+ + line: Banner /etc/issue + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.9 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-8(a) + - NIST-800-53-AC-8(c) + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_warning_banner + + + + + + + + + + + Disable Compression Or Set Compression to delayed + Compression is useful for slow network connections over long +distances but can cause performance issues on local LANs. If use of compression +is required, it should be enabled only after a user has authenticated; otherwise, +it should be disabled. To disable compression or delay compression until after +a user has successfully authenticated, add or correct the following line in the +/etc/ssh/sshd_config file: +Compression + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + If compression is allowed in an SSH connection prior to authentication, +vulnerabilities in the compression software could result in compromise of the +system from an unauthenticated connection, potentially with root privileges. + + - name: XCCDF Value var_sshd_disable_compression # promote to variable + set_fact: + var_sshd_disable_compression: !!str + tags: + - always + +- name: Disable Compression Or Set Compression to delayed + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Compression\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*Compression\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*Compression\s+ + line: Compression {{ var_sshd_disable_compression }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_compression + + + + + + + + + + + + Prevent remote hosts from connecting to the proxy display + The SSH daemon should prevent remote hosts from connecting to the proxy +display. Make sure that the option X11UseLocalhost is set to +yes within the SSH server configuration file. + SRG-OS-000480-GPOS-00227 + CCI-000366 + CM-6(b) + When X11 forwarding is enabled, there may be additional exposure to the +server and client displays if the sshd proxy display is configured to listen +on the wildcard address. By default, sshd binds the forwarding server to the +loopback address and sets the hostname part of the DISPLAY +environment variable to localhost. This prevents remote hosts from +connecting to the proxy display. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*X11UseLocalhost\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "X11UseLocalhost yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "X11UseLocalhost yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Prevent remote hosts from connecting to the proxy display + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*X11UseLocalhost\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*X11UseLocalhost\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*X11UseLocalhost\s+ + line: X11UseLocalhost yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-53-CM-6(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_x11_use_localhost + + + + + + + + + + + Enable Use of Strict Mode Checking + SSHs StrictModes option checks file and ownership permissions in +the user's home directory .ssh folder before accepting login. If world- +writable permissions are found, logon is rejected. To enable StrictModes in SSH, +add or correct the following line in the /etc/ssh/sshd_config file: +StrictModes yes + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-6 + AC-17(a) + CM-6(a) + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + If other users have access to modify user-specific SSH configuration files, they +may be able to log into the system as another user. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "StrictModes yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable Use of Strict Mode Checking + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*StrictModes\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*StrictModes\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*StrictModes\s+ + line: StrictModes yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_enable_strictmodes + + + + + + + + + + + Disable SSH Access via Empty Passwords + To explicitly disallow SSH login from accounts with +empty passwords, add or correct the following line in /etc/ssh/sshd_config: + +PermitEmptyPasswords no + +Any accounts with empty passwords should be disabled immediately, and PAM configuration +should prevent users from being able to assign themselves empty passwords. + NT007(R17) + 5.5.6 + 3.1.1 + 3.1.5 + CCI-000366 + CCI-000766 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.DS-5 + PR.IP-1 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000106-GPOS-00053 + SRG-OS-000480-GPOS-00229 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 5.2 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + APO01.06 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.02 + DSS06.03 + DSS06.06 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 9 + Configuring this setting for the SSH daemon provides additional assurance +that remote login via SSH will require a password, even in the event of +misconfiguration elsewhere. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH Access via Empty Passwords + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitEmptyPasswords\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitEmptyPasswords\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*PermitEmptyPasswords\s+ + line: PermitEmptyPasswords no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.1 + - NIST-800-171-3.1.5 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sshd_disable_empty_passwords + + + + + + + + + + + Disable Kerberos Authentication + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms like Kerberos. To disable Kerberos authentication, add +or correct the following line in the /etc/ssh/sshd_config file: +KerberosAuthentication no + 3.1.12 + CCI-000318 + CCI-000368 + CCI-001812 + CCI-001813 + CCI-001814 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + FTP_ITC_EXT.1 + SRG-OS-000364-GPOS-00151 + SRG-OS-000480-GPOS-00227 + SRG-OS-000480-VMM-002000 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + 0421 + 0422 + 0431 + 0974 + 1173 + 1401 + 1504 + 1505 + 1546 + 1557 + 1558 + 1559 + 1560 + 1561 + Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos +is enabled through SSH, the SSH daemon provides a means of access to the +system's Kerberos implementation. Vulnerabilities in the system's Kerberos +implementations may be subject to exploitation. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "KerberosAuthentication no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable Kerberos Authentication + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*KerberosAuthentication\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*KerberosAuthentication\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*KerberosAuthentication\s+ + line: KerberosAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_kerb_auth + + + + + + + + + + + Enable Use of Privilege Separation + When enabled, SSH will create an unprivileged child process that +has the privilege of the authenticated user. To enable privilege separation in +SSH, add or correct the following line in the /etc/ssh/sshd_config file: +UsePrivilegeSeparation + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + CM-6(a) + AC-17(a) + AC-6 + PR.AC-4 + PR.DS-5 + SRG-OS-000480-GPOS-00227 + SR 2.1 + SR 5.2 + 4.3.3.7.3 + APO01.06 + DSS05.04 + DSS05.07 + DSS06.02 + A.10.1.1 + A.11.1.4 + A.11.1.5 + A.11.2.1 + A.13.1.1 + A.13.1.3 + A.13.2.1 + A.13.2.3 + A.13.2.4 + A.14.1.2 + A.14.1.3 + A.6.1.2 + A.7.1.1 + A.7.1.2 + A.7.3.1 + A.8.2.2 + A.8.2.3 + A.9.1.1 + A.9.1.2 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + SSH daemon privilege separation causes the SSH process to drop root privileges +when not needed which would decrease the impact of software vulnerabilities in +the unprivileged section. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_sshd_priv_separation="" + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*UsePrivilegeSeparation\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "UsePrivilegeSeparation $var_sshd_priv_separation" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_sshd_priv_separation # promote to variable + set_fact: + var_sshd_priv_separation: !!str + tags: + - always + +- name: Enable Use of Privilege Separation + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*UsePrivilegeSeparation\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*UsePrivilegeSeparation\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*UsePrivilegeSeparation\s+ + line: UsePrivilegeSeparation {{ var_sshd_priv_separation }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-6 + - NIST-800-53-CM-6(a) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_use_priv_separation + + + + + + + + + + + + Disable SSH Support for Rhosts RSA Authentication + SSH can allow authentication through the obsolete rsh +command through the use of the authenticating user's SSH keys. This should be disabled. + +To ensure this behavior is disabled, add or correct the +following line in /etc/ssh/sshd_config: +RhostsRSAAuthentication no + As of openssh-server version 7.4 and above, +the RhostsRSAAuthentication option has been deprecated, and the line +RhostsRSAAuthentication no in /etc/ssh/sshd_config is not +necessary. + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + FIA_UAU.1 + SRG-OS-000480-GPOS-00227 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Configuring this setting for the SSH daemon provides additional +assurance that remote login via SSH will require a password, even +in the event of misconfiguration elsewhere. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +replace_or_append '/etc/ssh/sshd_config' '^RhostsRSAAuthentication' 'no' '' '%s %s' + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH Support for Rhosts RSA Authentication + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*RhostsRSAAuthentication\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*RhostsRSAAuthentication\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*RhostsRSAAuthentication\s+ + line: RhostsRSAAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_rhosts_rsa + + + + + + + + + + + Do Not Allow SSH Environment Options + To ensure users are not able to override environment +variables of the SSH daemon, add or correct the following line +in /etc/ssh/sshd_config: +PermitUserEnvironment no + 5.5.6 + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + SRG-OS-000480-GPOS-00229 + SRG-OS-000480-VMM-002000 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + SSH environment options potentially allow users to bypass +access restriction in some configurations. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "PermitUserEnvironment no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Do Not Allow SSH Environment Options + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitUserEnvironment\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PermitUserEnvironment\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*PermitUserEnvironment\s+ + line: PermitUserEnvironment no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_do_not_permit_user_env + + + + + + + + + + + Disable SSH Support for .rhosts Files + SSH can emulate the behavior of the obsolete rsh +command in allowing users to enable insecure access to their +accounts via .rhosts files. + +To ensure this behavior is disabled, add or correct the +following line in /etc/ssh/sshd_config: +IgnoreRhosts yes + 5.5.6 + 3.1.12 + CCI-000366 + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.AC-4 + PR.AC-6 + PR.IP-1 + PR.PT-3 + FIA_UAU.1 + SRG-OS-000480-GPOS-00227 + SRG-OS-000107-VMM-000530 + SR 1.1 + SR 1.10 + SR 1.11 + SR 1.12 + SR 1.13 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.6 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 2.2 + SR 2.3 + SR 2.4 + SR 2.5 + SR 2.6 + SR 2.7 + SR 7.6 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.5.3 + 4.3.3.5.4 + 4.3.3.5.5 + 4.3.3.5.6 + 4.3.3.5.7 + 4.3.3.5.8 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.1 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS05.02 + DSS05.04 + DSS05.05 + DSS05.07 + DSS06.03 + DSS06.06 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + A.6.1.2 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.3 + A.9.4.1 + A.9.4.4 + A.9.4.5 + 11 + 12 + 14 + 15 + 16 + 18 + 3 + 5 + 9 + SSH trust relationships mean a compromise on one host +can allow an attacker to move trivially to other hosts. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "IgnoreRhosts yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH Support for .rhosts Files + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*IgnoreRhosts\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*IgnoreRhosts\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*IgnoreRhosts\s+ + line: IgnoreRhosts yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_rhosts + + + + + + + + + + + Set SSH Client Alive Count Max + The SSH server sends at most ClientAliveCountMax messages +during a SSH session and waits for a response from the SSH client. +The option ClientAliveInterval configures timeout after +each ClientAliveCountMax message. If the SSH server does not +receive a response from the client, then the connection is considered idle +and terminated. +For SSH earlier than v8.2, a ClientAliveCountMax value of 0 +causes an idle timeout precisely when the ClientAliveInterval is set. +Starting with v8.2, a value of 0 disables the timeout functionality +completely. If the option is set to a number greater than 0, then +the idle session will be disconnected after +ClientAliveInterval * ClientAliveCountMax seconds. + 5.5.6 + 3.1.11 + CCI-000879 + CCI-001133 + CCI-002361 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-2(5) + AC-12 + AC-17(a) + SC-10 + CM-6(a) + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.IP-2 + Req-8.1.8 + SRG-OS-000163-GPOS-00072 + SRG-OS-000279-GPOS-00109 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.3 + APO13.01 + BAI03.01 + BAI03.02 + BAI03.03 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.12.4.1 + A.12.4.3 + A.14.1.1 + A.14.2.1 + A.14.2.5 + A.18.1.4 + A.6.1.2 + A.6.1.5 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + BP28(R29) + This ensures a user login will be terminated as soon as the ClientAliveInterval +is reached. + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_sshd_set_keepalive="" + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "ClientAliveCountMax $var_sshd_set_keepalive" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_sshd_set_keepalive # promote to variable + set_fact: + var_sshd_set_keepalive: !!str + tags: + - always + +- name: Set SSH Client Alive Count Max + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveCountMax\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveCountMax\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*ClientAliveCountMax\s+ + line: ClientAliveCountMax {{ var_sshd_set_keepalive }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_keepalive + + + + + + + + + + + + Set SSH Client Alive Count Max to zero + The SSH server sends at most ClientAliveCountMax messages +during a SSH session and waits for a response from the SSH client. +The option ClientAliveInterval configures timeout after +each ClientAliveCountMax message. If the SSH server does not +receive a response from the client, then the connection is considered idle +and terminated. + +To ensure the SSH idle timeout occurs precisely when the +ClientAliveInterval is set, set the ClientAliveCountMax to +value of 0. + 5.5.6 + 3.1.11 + CCI-000879 + CCI-001133 + CCI-002361 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-2(5) + AC-12 + AC-17(a) + SC-10 + CM-6(a) + DE.CM-1 + DE.CM-3 + PR.AC-1 + PR.AC-4 + PR.AC-6 + PR.AC-7 + PR.IP-2 + Req-8.1.8 + SRG-OS-000163-GPOS-00072 + SRG-OS-000279-GPOS-00109 + SRG-OS-000480-VMM-002000 + SR 1.1 + SR 1.10 + SR 1.2 + SR 1.3 + SR 1.4 + SR 1.5 + SR 1.7 + SR 1.8 + SR 1.9 + SR 2.1 + SR 6.2 + 4.3.3.2.2 + 4.3.3.5.1 + 4.3.3.5.2 + 4.3.3.6.1 + 4.3.3.6.2 + 4.3.3.6.3 + 4.3.3.6.4 + 4.3.3.6.5 + 4.3.3.6.6 + 4.3.3.6.7 + 4.3.3.6.8 + 4.3.3.6.9 + 4.3.3.7.2 + 4.3.3.7.3 + 4.3.3.7.4 + 4.3.4.3.3 + APO13.01 + BAI03.01 + BAI03.02 + BAI03.03 + DSS01.03 + DSS03.05 + DSS05.04 + DSS05.05 + DSS05.07 + DSS05.10 + DSS06.03 + DSS06.10 + A.12.4.1 + A.12.4.3 + A.14.1.1 + A.14.2.1 + A.14.2.5 + A.18.1.4 + A.6.1.2 + A.6.1.5 + A.7.1.1 + A.9.1.2 + A.9.2.1 + A.9.2.2 + A.9.2.3 + A.9.2.4 + A.9.2.6 + A.9.3.1 + A.9.4.1 + A.9.4.2 + A.9.4.3 + A.9.4.4 + A.9.4.5 + 1 + 12 + 13 + 14 + 15 + 16 + 18 + 3 + 5 + 7 + 8 + This ensures a user login will be terminated as soon as the ClientAliveInterval +is reached. + + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*ClientAliveCountMax\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Set SSH Client Alive Count Max to zero + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveCountMax\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*ClientAliveCountMax\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*ClientAliveCountMax\s+ + line: ClientAliveCountMax 0 + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - CJIS-5.5.6 + - NIST-800-171-3.1.11 + - NIST-800-53-AC-12 + - NIST-800-53-AC-17(a) + - NIST-800-53-AC-2(5) + - NIST-800-53-CM-6(a) + - NIST-800-53-SC-10 + - PCI-DSS-Req-8.1.8 + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_set_keepalive_0 + + + + + + + + + + + Enable Encrypted X11 Forwarding + By default, remote X11 connections are not encrypted when initiated +by users. SSH has the capability to encrypt remote X11 connections when SSH's +X11Forwarding option is enabled. + +To enable X11 Forwarding, add or correct the +following line in /etc/ssh/sshd_config: +X11Forwarding yes + 3.1.13 + CCI-000366 + CM-6(a) + AC-17(a) + AC-17(2) + DE.AE-1 + PR.DS-7 + PR.IP-1 + SRG-OS-000480-GPOS-00227 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + 4.4.3.3 + BAI03.08 + BAI07.04 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + DSS03.01 + A.12.1.1 + A.12.1.2 + A.12.1.4 + A.12.5.1 + A.12.6.2 + A.13.1.1 + A.13.1.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 1 + 11 + 12 + 13 + 15 + 16 + 18 + 20 + 3 + 4 + 6 + 9 + Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands +remotely. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "X11Forwarding yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Enable Encrypted X11 Forwarding + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*X11Forwarding\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*X11Forwarding\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*X11Forwarding\s+ + line: X11Forwarding yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.13 + - NIST-800-53-AC-17(2) + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - high_severity + - low_complexity + - low_disruption + - no_reboot_needed + - restrict_strategy + - sshd_enable_x11_forwarding + + + + + + + + + + + Disable PubkeyAuthentication Authentication + Unless needed, SSH should not permit extraneous or unnecessary +authentication mechanisms. To disable PubkeyAuthentication authentication, add or +correct the following line in the /etc/ssh/sshd_config file: +PubkeyAuthentication no + PubkeyAuthentication authentication is used to provide additional authentication mechanisms to +applications. Allowing PubkeyAuthentication authentication through SSH allows users to +generate their own authentication tokens, increasing the attack surface of the system. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*PubkeyAuthentication\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "PubkeyAuthentication no" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable PubkeyAuthentication Authentication + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PubkeyAuthentication\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*PubkeyAuthentication\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*PubkeyAuthentication\s+ + line: PubkeyAuthentication no + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_pubkey_auth + + + + + + + + + + + Disable SSH Support for User Known Hosts + SSH can allow system users to connect to systems if a cache of the remote +systems public keys is available. This should be disabled. + +To ensure this behavior is disabled, add or correct the +following line in /etc/ssh/sshd_config: +IgnoreUserKnownHosts yes + 3.1.12 + CCI-000366 + 164.308(a)(4)(i) + 164.308(b)(1) + 164.308(b)(3) + 164.310(b) + 164.312(e)(1) + 164.312(e)(2)(ii) + AC-17(a) + CM-7(a) + CM-7(b) + CM-6(a) + PR.IP-1 + FIA_UAU.1 + SRG-OS-000480-GPOS-00227 + SR 7.6 + 4.3.4.3.2 + 4.3.4.3.3 + BAI10.01 + BAI10.02 + BAI10.03 + BAI10.05 + A.12.1.2 + A.12.5.1 + A.12.6.2 + A.14.2.2 + A.14.2.3 + A.14.2.4 + 11 + 3 + 9 + Configuring this setting for the SSH daemon provides additional +assurance that remote login via SSH will require a password, even +in the event of misconfiguration elsewhere. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: Disable SSH Support for User Known Hosts + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*IgnoreUserKnownHosts\s+ + line: IgnoreUserKnownHosts yes + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - NIST-800-171-3.1.12 + - NIST-800-53-AC-17(a) + - NIST-800-53-CM-6(a) + - NIST-800-53-CM-7(a) + - NIST-800-53-CM-7(b) + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - restrict_strategy + - sshd_disable_user_known_hosts + + + + + + + + + + + Set SSH MaxSessions limit + The MaxSessions parameter specifies the maximum number of open sessions permitted +from a given connection. To set MaxSessions edit +/etc/ssh/sshd_config as follows: MaxSessions + To protect a system from denial of service due to a large number of concurrent +sessions, use the rate limiting function of MaxSessions to protect availability +of sshd logins and prevent overwhelming the daemon. + + # Remediation is applicable only in certain platforms +if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then + + +var_sshd_max_sessions="" + + + +if [ -e "/etc/ssh/sshd_config" ] ; then + LC_ALL=C sed -i "/^\s*MaxSessions\s\+/Id" "/etc/ssh/sshd_config" +else + touch "/etc/ssh/sshd_config" +fi +cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak" +# Insert before the line matching the regex '^Match'. +line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')" +if [ -z "$line_number" ]; then + # There was no match of '^Match', insert at + # the end of the file. + printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config" +else + head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" > "/etc/ssh/sshd_config" + printf '%s\n' "MaxSessions $var_sshd_max_sessions" >> "/etc/ssh/sshd_config" + tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config" +fi +# Clean up after ourselves. +rm "/etc/ssh/sshd_config.bak" + +else + >&2 echo 'Remediation is not applicable, nothing was done' +fi + + - name: XCCDF Value var_sshd_max_sessions # promote to variable + set_fact: + var_sshd_max_sessions: !!str + tags: + - always + +- name: Set SSH MaxSessions limit + block: + + - name: Check for duplicate values + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*MaxSessions\s+ + state: absent + check_mode: true + changed_when: false + register: dupes + + - name: Deduplicate values from /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: false + regexp: (?i)^\s*MaxSessions\s+ + state: absent + when: dupes.found is defined and dupes.found > 1 + + - name: Insert correct line to /etc/ssh/sshd_config + lineinfile: + path: /etc/ssh/sshd_config + create: true + regexp: (?i)^\s*MaxSessions\s+ + line: MaxSessions {{ var_sshd_max_sessions }} + state: present + insertbefore: ^[#\s]*Match + validate: /usr/sbin/sshd -t -f %s + when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - configure_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - sshd_set_max_sessions + + + + + + + + + + + + Strengthen Firewall Configuration if Possible + If the SSH server is expected to only receive connections from +the local network, then strengthen the default firewall rule for the SSH service +to only accept connections from the appropriate network segment(s). + +Determine an appropriate network block, netwk, network mask, mask, and +network protocol, ip_protocol, representing the systems on your network which will +be allowed to access this SSH server. + +Run the following command: +firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept' + + + + + + Base Services + This section addresses the base services that are installed on a +Fedora default installation which are not covered in other +sections. Some of these services listen on the network and +should be treated with particular discretion. Other services are local +system utilities that may or may not be extraneous. In general, system services +should be disabled if not required. + + Uninstall Automatic Bug Reporting Tool (abrt) + The Automatic Bug Reporting Tool (abrt) collects +and reports crash data when an application crash is detected. Using a variety +of plugins, abrt can email crash reports to system administrators, log crash +reports to files, or forward crash reports to a centralized issue tracking +system such as RHTSupport. +The abrt package can be removed with the following command: + +$ sudo dnf erase abrt + SRG-OS-000095-GPOS-00049 + CCI-000381 + Mishandling crash data could expose sensitive information about +vulnerabilities in software executing on the system, as well as sensitive +information from within a process's address space or registers. + +# CAUTION: This remediation script will remove abrt +# from the system, and may remove any packages +# that depend on abrt. Execute this +# remediation AFTER testing on a non-production +# system! + +if rpm -q --quiet "abrt" ; then + dnf remove -y "abrt" +fi + + - name: Ensure abrt is removed + package: + name: abrt + state: absent + tags: + - disable_strategy + - low_complexity + - low_disruption + - medium_severity + - no_reboot_needed + - package_abrt_removed + + include remove_abrt + +class remove_abrt { + package { 'abrt': + ensure => 'purged', + } +} + + +package --remove=abrt + + + + + + + + + + + + Introduction + The purpose of this guidance is to provide security configuration +recommendations and baselines for the Fedora operating +system. Recommended settings for the basic operating system are provided, +as well as for many network services that the system can provide to other systems. +The guide is intended for system administrators. Readers are assumed to +possess basic system administration skills for Unix-like systems, as well +as some familiarity with the product's documentation and administration +conventions. Some instructions within this guide are complex. +All directions should be followed completely and with understanding of +their effects in order to avoid serious adverse effects on the system +and its security. + + How to Use This Guide + Readers should heed the following points when using the guide. + + Read Sections Completely and in Order + Each section may build on information and recommendations discussed in +prior sections. Each section should be read and understood completely; +instructions should never be blindly applied. Relevant discussion may +occur after instructions for an action. + + + Test in Non-Production Environment + This guidance should always be tested in a non-production environment +before deployment. This test environment should simulate the setup in +which the system will be deployed as closely as possible. + + + Reboot Required + A system reboot is implicitly required after some actions in order to +complete the reconfiguration of the system. In many cases, the changes +will not take effect until a reboot is performed. In order to ensure +that changes are applied properly and to test functionality, always +reboot the system after applying a set of recommendations from this guide. + + + Formatting Conventions + Commands intended for shell execution, as well as configuration file text, +are featured in a monospace font. Italics are used +to indicate instances where the system administrator must substitute +the appropriate information into a command or configuration file. + + + Root Shell Environment Assumed + Most of the actions listed in this document are written with the +assumption that they will be executed by the root user running the +/bin/bash shell. Commands preceded with a hash mark (#) +assume that the administrator will execute the commands as root, i.e. +apply the command via sudo whenever possible, or use +su to gain root privileges if sudo cannot be +used. Commands which can be executed as a non-root user are are preceded +by a dollar sign ($) prompt. + + + + General Principles + The following general principles motivate much of the advice in this +guide and should also influence any configuration decisions that are +not explicitly covered. + + Minimize Software to Minimize Vulnerability + The simplest way to avoid vulnerabilities in software is to avoid +installing that software. On Fedora,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) +allows for careful management of +the set of software packages installed on a system. Installed software +contributes to system vulnerability in several ways. Packages that +include setuid programs may provide local attackers a potential path to +privilege escalation. Packages that include network services may give +this opportunity to network-based attackers. Packages that include +programs which are predictably executed by local users (e.g. after +graphical login) may provide opportunities for trojan horses or other +attack code to be run undetected. The number of software packages +installed on a system can almost always be significantly pruned to include +only the software for which there is an environmental or operational need. + + + Encrypt Transmitted Data Whenever Possible + Data transmitted over a network, whether wired or wireless, is susceptible +to passive monitoring. Whenever practical solutions for encrypting +such data exist, they should be applied. Even if data is expected to +be transmitted only over a local network, it should still be encrypted. +Encrypting authentication data, such as passwords, is particularly +important. Networks of Fedora machines can and should be configured +so that no unencrypted authentication data is ever transmitted between +machines. + + + Run Different Network Services on Separate Systems + Whenever possible, a server should be dedicated to serving exactly one +network service. This limits the number of other services that can +be compromised in the event that an attacker is able to successfully +exploit a software flaw in one network service. + + + Least Privilege + Grant the least privilege necessary for user accounts and software to perform tasks. +For example, sudo can be implemented to limit authorization to super user +accounts on the system only to designated personnel. Another example is to limit +logins on server systems to only those administrators who need to log into them in +order to perform administration tasks. Using SELinux also follows the principle of +least privilege: SELinux policy can confine software to perform only actions on the +system that are specifically allowed. This can be far more restrictive than the +actions permissible by the traditional Unix permissions model. + + + Configure Security Tools to Improve System Robustness + Several tools exist which can be effectively used to improve a system's +resistance to and detection of unknown attacks. These tools can improve +robustness against attack at the cost of relatively little configuration +effort. In particular, this guide recommends and discusses the use of +host-based firewalling, SELinux for protection against +vulnerable services, and a logging and auditing infrastructure for +detection of problems. + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 56], python: 3.9.5 + 5.11 + 2021-05-26T00:00:00 + + + + + CentOS 6 + + Fedora + + + The operating system installed on the system is + CentOS 6 + + + + + + + + + CentOS 7 + + Fedora + + + The operating system installed on the system is + CentOS 7 + + + + + + + + + CentOS 8 + + Fedora + + + The operating system installed on the system is + CentOS 8 + + + + + + + + + + Debian + + Fedora + + The operating system installed is a Debian System + + + + + + + + + Debian Linux 10 + + Fedora + + + The operating system installed on the system is Debian 10 + + + + + + + + + Debian 9 + + Fedora + + + The operating system installed on the system is Debian 9 + + + + + + + + + Installed operating system is Fedora + + Fedora + + + The operating system installed on the system is Fedora + + + + + + + + + + Oracle Linux 7 + + Fedora + + + The operating system installed on the system is + Oracle Linux 7 + + + + + + + + + + + Oracle Linux 8 + + Fedora + + + The operating system installed on the system is + Oracle Linux 8 + + + + + + + + + + + openSUSE + + Fedora + + The operating system installed on the system is openSUSE. + + + + + + + + + openSUSE Leap 15 + + Fedora + + + The operating system installed on the system is openSUSE Leap 15. + + + + + + + + + openSUSE Leap 42 + + Fedora + + + + + The operating system installed on the system is openSUSE Leap 42. + + + + + + + + + Installed operating system is part of the Unix family + + Fedora + + The operating system installed on the system is part of the Unix OS family + + + + + + + + Red Hat Enterprise Linux CoreOS + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux CoreOS release 4 + + + + + + + + + + + Red Hat Enterprise Linux 7 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 7 + + + + + + + + + + + + + + + + + + Red Hat Enterprise Linux 8 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + Red Hat Enterprise Linux 9 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 9 + + + + + + + + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + The operating system installed on the system is + Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host. + + + + + + + + + Scientific Linux 6 + + Fedora + + + The operating system installed on the system is + Scientific Linux 6 + + + + + + + + + Scientific Linux 7 + + Fedora + + + The operating system installed on the system is + Scientific Linux 7 + + + + + + + + + SUSE Linux Enterprise 12 + + Fedora + + + + The operating system installed on the system is + SUSE Linux Enterprise 12. + + + + + + + + + + + + + SUSE Linux Enterprise 15 + + Fedora + + + + The operating system installed on the system is + SUSE Linux Enterprise 15. + + + + + + + + + + + + + Ubuntu + + Fedora + + The operating system installed is an Ubuntu System + + + + + + + + + + Ubuntu 1604 + + Fedora + + + The operating system installed on the system is Ubuntu 1604 + + + + + + + + + Ubuntu 1804 + + Fedora + + + The operating system installed on the system is Ubuntu 1804 + + + + + + + + + Ubuntu 2004 + + Fedora + + + The operating system installed on the system is Ubuntu 2004 + + + + + + + + + WRLinux 1019 + + Fedora + + + The operating system installed on the system is + Wind River Linux 1019 + + + + + + + + + + WRLinux 8 + + Fedora + + + The operating system installed on the system is + Wind River Linux 8 + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + The application installed installed on the system is + Red Hat OpenStack Platform 10. + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + The application installed installed on the system is + Red Hat OpenStack Platform 13. + + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + The application installed installed on the system is + Red Hat Virtualization 4. + + + + + + + + + Package chrony is installed + + Fedora + + Checks if package chrony is installed. + + + + + + + + + Package gdm is installed + + Fedora + + Checks if package gdm is installed. + + + + + + + + + Package grub2 is installed + + Fedora + + Checks if package grub2-common is installed. + + + + + + + + + + + + + Package libuser is installed + + Fedora + + Checks if package libuser is installed. + + + + + + + + + Package providing /etc/login.defs is installed + + Fedora + + Checks if package providing /etc/login.defs and is installed. + + + + + + + + + Package net-snmp is installed + + Fedora + + Checks if package net-snmp is installed. + + + + + + + + + Package nss-pam-ldapd is installed + + Fedora + + Checks if package nss-pam-ldapd is installed. + + + + + + + + + Package ntp is installed + + Fedora + + Checks if package ntp is installed. + + + + + + + + + Package pam is installed + + Fedora + + Checks if package pam is installed. + + + + + + + + + Package sssd-common is installed + + Fedora + + Checks if package sssd-common is installed. + + + + + + + + + Package sudo is installed + + Fedora + + Checks if package sudo is installed. + + + + + + + + + Package systemd is installed + + Fedora + + Checks if package systemd is installed. + + + + + + + + + Package yum is installed + + Fedora + + Checks if package yum is installed. + + + + + + + + + System uses zIPL + + Fedora + + Checks if system uses zIPL bootloader. + + + + + + + + + Check if the scan target is a container + + Fedora + + Check for presence of files characterizing container filesystems. + + + + + + + + + + Check if the scan target is a machine + + Fedora + + Check for absence of files characterizing container filesystems. + + + + + + + + + Test for different architecture than s390x + + Fedora + + Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x + + + + + + + + SSSD is configured to use LDAP + + Fedora + + Identification provider is not set to ad within /etc/sssd/sssd.conf + + + + + + + + + Non-UEFI system boot mode check + + Fedora + + Check if System boot mode is non-UEFI. + + + + + + + + + UEFI system boot mode check + + Fedora + + Check if system boot mode is UEFI. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + centos-release + + + centos-release + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)"$ + 1 + + + /etc/debian_version + + + /etc/debian_version + ^10.[0-9]+$ + 1 + + + /etc/debian_version + ^9.[0-9]+$ + 1 + + + fedora-release.* + + + /etc/system-release-cpe + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + 1 + + + oraclelinux-release + + + oraclelinux-release + + + openSUSE-release + + + openSUSE-release + + + openSUSE-release + + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)\.\d+"$ + 1 + + + + redhat-release-client + + + redhat-release-workstation + + + redhat-release-server + + + redhat-release-computenode + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + + redhat-release + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + + redhat-release + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + redhat-release-virtualization-host + + + sl-release + + + sl-release + + + + sled-release + + + sles-release + + + SLES_SAP-release + + + + sled-release + + + sles-release + + + SLES_SAP-release + + + /etc/lsb-release + + + /etc/lsb-release + ^DISTRIB_ID=Ubuntu$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=xenial$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=bionic$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=focal$ + 1 + + + + /etc/os-release + ^NAME=.Wind[\s]+River[\s]+Linux.*$ + 1 + + + /etc/os-release + ^VERSION=.10\.19.*$ + 1 + + + + /etc/wrlinux-release + ^VERSION=.8\.0.*$ + 1 + + + rhosp-release + + + rhosp-release + + + rhvm-appliance + + + chrony + + + gdm + + + grub2-common + + + /sys/firmware/opal + + + libuser + + + shadow-utils + + + net-snmp + + + nss-pam-ldapd + + + ntp + + + pam + + + sssd-common + + + sudo + + + systemd + + + yum + + + s390utils-base + + + /.dockerenv + + + /run/.containerenv + + + /proc/sys/kernel/osrelease + ^.*\.(.*)$ + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$ + 1 + + + /sys/firmware/efi + + + + + + + ^6.*$ + + + ^7.*$ + + + centos + + + 8 + + + ^7.*$ + + + ^8.*$ + + + openSUSE-release + + + ^15.*$ + + + ^42.*$ + + + unix + + + rhcos + + + 4 + + + unix + + + ^7.*$ + + + ^7.*$ + + + ^7.*$ + + + ^7.*$ + + + 7 + + + unix + + + ^8.*$ + + + 8 + + + unix + + + ^9.*$ + + + 9 + + + 0:4.4 + + + ^6.*$ + + + ^7.*$ + + + unix + + + ^12.*$ + + + ^12.*$ + + + ^12.*$ + + + unix + + + ^15.*$ + + + ^15.*$ + + + ^15.*$ + + + unix + + + unix + + + ^10.*$ + + + ^13.*$ + + + ^4.*$ + + + ^s390x$ + + + ppc64le + + + + + + + + Package chrony is installed + oval:ssg-installed_env_has_chrony_package:def:1 + + + Package gdm is installed + oval:ssg-installed_env_has_gdm_package:def:1 + + + Package grub2 is installed + oval:ssg-installed_env_has_grub2_package:def:1 + + + Package libuser is installed + oval:ssg-installed_env_has_libuser_package:def:1 + + + Package providing /etc/login.defs is installed + oval:ssg-installed_env_has_login_defs:def:1 + + + Bare-metal or Virtual Machine + oval:ssg-installed_env_is_a_machine:def:1 + + + Package net-snmp is installed + oval:ssg-installed_env_has_net-snmp_package:def:1 + + + System boot mode is non-UEFI + oval:ssg-system_boot_mode_is_non_uefi:def:1 + + + System architecture is not S390X + oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1 + + + Package ntp is installed + oval:ssg-installed_env_has_ntp_package:def:1 + + + Package pam is installed + oval:ssg-installed_env_has_pam_package:def:1 + + + Package sssd-common is installed + oval:ssg-installed_env_has_sssd-common_package:def:1 + + + Package sudo is installed + oval:ssg-installed_env_has_sudo_package:def:1 + + + System boot mode is UEFI + oval:ssg-system_boot_mode_is_uefi:def:1 + + + Package yum is installed + oval:ssg-installed_env_has_yum_package:def:1 + + + System uses zipl + oval:ssg-installed_env_has_zipl_package:def:1 + + + Fedora 32 + oval:ssg-installed_OS_is_fedora:def:1 + + + + + + 1 + + OSPP - Protection Profile for General Purpose Operating Systems [CUSTOMIZED] + This profile reflects mandatory configuration controls identified in the +NIAP Configuration Annex to the Protection Profile for General Purpose +Operating Systems (Protection Profile Version 4.2). + +As Fedora OS is moving target, this profile does not guarantee to provide +security levels required from US National Security Systems. Main goal of +the profile is to provide Fedora developers with hardened environment +similar to the one mandated by US National Security Systems. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 127.0.0.1 + + + + + 10.43.21.233 + + + + + 10.200.153.45 + + + + + 192.168.122.1 + + + + + 0:0:0:0:0:0:0:1 + + + + + 2620:52:0:2b15:76a6:117d:1d6:7579 + + + + + fe80:0:0:0:648:e757:55c:e02e + + + + + fe80:0:0:0:3bc2:6468:e470:d804 + + + + + fe80:0:0:0:fc21:e6ff:feca:b1f9 + + + + 00:00:00:00:00:00 + + + 00:50:B6:8E:49:DA + + + 00:2B:67:04:65:C0 + + + 74:D8:3E:1A:0C:3E + + + 52:54:00:E8:16:C5 + + + FE:21:E6:CA:B1:F9 + + + rh-hony + rh-hony + + + + + + + + + OSCAP Scan Result + jrodak + + rh-hony + 127.0.0.1 + 10.43.21.233 + 10.200.153.45 + 192.168.122.1 + 0:0:0:0:0:0:0:1 + 2620:52:0:2b15:76a6:117d:1d6:7579 + fe80:0:0:0:648:e757:55c:e02e + fe80:0:0:0:3bc2:6468:e470:d804 + fe80:0:0:0:fc21:e6ff:feca:b1f9 + + OpenSCAP + 1.3.5 + rh-hony + rh-hony + 00:00:00:00:00:00 + 00:00:00:00:00:00 + 00:50:B6:8E:49:DA + 00:50:B6:8E:49:DA + 00:2B:67:04:65:C0 + 00:2B:67:04:65:C0 + 74:D8:3E:1A:0C:3E + 74:D8:3E:1A:0C:3E + 52:54:00:E8:16:C5 + 52:54:00:E8:16:C5 + FE:21:E6:CA:B1:F9 + FE:21:E6:CA:B1:F9 + 127.0.0.1 + 10.43.21.233 + 10.200.153.45 + 192.168.122.1 + ::1 + 2620:52:0:2b15:76a6:117d:1d6:7579 + fe80::648:e757:55c:e02e + fe80::3bc2:6468:e470:d804 + fe80::fc21:e6ff:feca:b1f9 + + + + + + + + + + + + + + + + function create_audit_remediation_unsuccessful_file_modification_detailed { + mkdir -p "$(dirname "$1")" + # The - option to mark a here document limit string (<<-EOF) suppresses leading tabs (but not spaces) in the output. + cat <<-EOF > "$1" + ## This content is a section of an Audit config snapshot recommended for linux systems that target OSPP compliance. + ## The following content has been retreived on 2019-03-11 from: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules + + ## The purpose of these rules is to meet the requirements for Operating + ## System Protection Profile (OSPP)v4.2. These rules depends on having + ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + + ## Unsuccessful file creation (open with O_CREAT) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create + + ## Unsuccessful file modifications (open for write or truncate) + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification + + ## Unsuccessful file access (any other opens) This has to go last. + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-access + EOF +} + # Print a message to stderr and exit the shell +# $1: The message to print. +# $2: The error code (optional, default is 1) +function die { + local _message="$1" _rc="${2:-1}" + printf '%s\n' "$_message" >&2 + exit "$_rc" +} + function ensure_pam_module_options { + if [ $# -lt 7 ] || [ $# -gt 8 ] ; then + echo "$0 requires seven or eight arguments" >&2 + exit 1 + fi + local _pamFile="$1" _type="$2" _control="$3" _module="$4" _option="$5" _valueRegex="$6" _defaultValue="$7" + local _remove_argument="" + if [ $# -eq 8 ] ; then + _remove_argument="$8" + # convert it to lowercase + _remove_argument=${_remove_argument,,} + fi + + # make sure that we have a line like this in ${_pamFile} (additional options are left as-is): + # ${_type} ${_control} ${_module} ${_option}=${_valueRegex} + + if ! [ -e "$_pamFile" ] ; then + echo "$_pamFile doesn't exist" >&2 + exit 1 + fi + + # if remove argument only + if [ "${_remove_argument}" = "yes" -o "${_remove_argument}" = "true" ] ; then + sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+\\S+\\s+${_module}(\\s.+)?)\\s${_option}(=\\S+)?/\\1/" "${_pamFile}" + exit 0 + fi + + # non-empty values need to be preceded by an equals sign + [ -n "${_valueRegex}" ] && _valueRegex="=${_valueRegex}" + # add an equals sign to non-empty values + [ -n "${_defaultValue}" ] && _defaultValue="=${_defaultValue}" + + # fix 'type' if it's wrong + if grep -q -P "^\\s*(?"'!'"${_type}\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+${_module}" < "${_pamFile}" ; then + sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+${_module})/\\1${_type}\\2/" "${_pamFile}" + fi + + # fix 'control' if it's wrong + if grep -q -P "^\\s*${_type}\\s+(?"'!'"${_control})[[:alnum:]]+\\s+${_module}" < "${_pamFile}" ; then + sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+)[[:alnum:]]+(\\s+${_module})/\\1${_control}\\2/" "${_pamFile}" + fi + + # fix the value for 'option' if one exists but does not match '_valueRegex' + if grep -q -P "^\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s+${_option}(?"'!'"${_valueRegex}(\\s|\$))" < "${_pamFile}" ; then + sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s)${_option}=[^[:space:]]+/\\1${_option}${_defaultValue}/" "${_pamFile}" + + # add 'option=default' if option is not set + elif grep -q -E "^\\s*${_type}\\s+${_control}\\s+${_module}" < "${_pamFile}" && + grep -E "^\\s*${_type}\\s+${_control}\\s+${_module}" < "${_pamFile}" | grep -q -E -v "\\s${_option}(=|\\s|\$)" ; then + + sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+${_control}\\s+${_module}[^\\n]*)/\\1 ${_option}${_defaultValue}/" "${_pamFile}" + # add a new entry if none exists + elif ! grep -q -P "^\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s+${_option}${_valueRegex}(\\s|\$)" < "${_pamFile}" ; then + echo "${_type} ${_control} ${_module} ${_option}${_defaultValue}" >> "${_pamFile}" + fi +} + # Function to fix syscall audit rule for given system call. It is +# based on example audit syscall rule definitions as outlined in +# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit +# package. It will combine multiple system calls belonging to the same +# syscall group into one audit rule (rather than to create audit rule per +# different system call) to avoid audit infrastructure performance penalty +# in the case of 'one-audit-rule-definition-per-one-system-call'. See: +# +# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html +# +# for further details. +# +# Expects five arguments (each of them is required) in the form of: +# * audit tool tool used to load audit rules, +# either 'auditctl', or 'augenrules +# * audit rules' pattern audit rule skeleton for same syscall +# * syscall group greatest common string this rule shares +# with other rules from the same group +# * architecture architecture this rule is intended for +# * full form of new rule to add expected full form of audit rule as to be +# added into audit.rules file +# +# Note: The 2-th up to 4-th arguments are used to determine how many existing +# audit rules will be inspected for resemblance with the new audit rule +# (5-th argument) the function is going to add. The rule's similarity check +# is performed to optimize audit.rules definition (merge syscalls of the same +# group into one rule) to avoid the "single-syscall-per-audit-rule" performance +# penalty. +# +# Example call: +# +# See e.g. 'audit_rules_file_deletion_events.sh' remediation script +# +function fix_audit_syscall_rule { + +# Load function arguments into local variables +local tool="$1" +local pattern="$2" +local group="$3" +local arch="$4" +local full_rule="$5" + +# Check sanity of the input +if [ $# -ne "5" ] +then + echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" + echo "Aborting." + exit 1 +fi + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +declare -a files_to_inspect + +retval=0 + +# First check sanity of the specified audit tool +if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] +then + echo "Unknown audit rules loading tool: $1. Aborting." + echo "Use either 'auditctl' or 'augenrules'!" + return 1 +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +elif [ "$tool" == 'auditctl' ] +then + files_to_inspect+=('/etc/audit/audit.rules' ) +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +elif [ "$tool" == 'augenrules' ] +then + # Extract audit $key from audit rule so we can use it later + matches=() + key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') + readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) + if [ $? -ne 0 ] + then + retval=1 + fi + for match in "${matches[@]}" + do + files_to_inspect+=("${match}") + done + # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet + if [ ${#files_to_inspect[@]} -eq "0" ] + then + file_to_inspect="/etc/audit/rules.d/$key.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi + fi +fi + +# +# Indicator that we want to append $full_rule into $audit_file by default +local append_expected_rule=0 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that: + # * follow the rule pattern, and + # * meet the hardware architecture requirement, and + # * are current syscall group specific + readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") + if [ $? -ne 0 ] + then + retval=1 + fi + + # Process rules found case-by-case + for rule in "${existing_rules[@]}" + do + # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) + if [ "${rule}" != "${full_rule}" ] + then + # If so, isolate just '(-S \w)+' substring of that rule + rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+') + # Check if list of '-S syscall' arguments of that rule is subset + # of '-S syscall' list of expected $full_rule + if grep -q -- "$rule_syscalls" <<< "$full_rule" + then + # Rule is covered (i.e. the list of -S syscalls for this rule is + # subset of -S syscalls of $full_rule => existing rule can be deleted + # Thus delete the rule from audit.rules & our array + sed -i -e "\;${rule};d" "$audit_file" + if [ $? -ne 0 ] + then + retval=1 + fi + existing_rules=("${existing_rules[@]//$rule/}") + else + # Rule isn't covered by $full_rule - it besides -S syscall arguments + # for this group contains also -S syscall arguments for other syscall + # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' + # since 'lchown' & 'fchownat' share 'chown' substring + # Therefore: + # * 1) delete the original rule from audit.rules + # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) + # * 2) delete the -S syscall arguments for this syscall group, but + # keep those not belonging to this syscall group + # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' + # * 3) append the modified (filtered) rule again into audit.rules + # if the same rule not already present + # + # 1) Delete the original rule + sed -i -e "\;${rule};d" "$audit_file" + if [ $? -ne 0 ] + then + retval=1 + fi + + # 2) Delete syscalls for this group, but keep those from other groups + # Convert current rule syscall's string into array splitting by '-S' delimiter + IFS_BKP="$IFS" + IFS=$'-S' + read -a rule_syscalls_as_array <<< "$rule_syscalls" + # Reset IFS back to default + IFS="$IFS_BKP" + # Splitting by "-S" can't be replaced by the readarray functionality easily + + # Declare new empty string to hold '-S syscall' arguments from other groups + new_syscalls_for_rule='' + # Walk through existing '-S syscall' arguments + for syscall_arg in "${rule_syscalls_as_array[@]}" + do + # Skip empty $syscall_arg values + if [ "$syscall_arg" == '' ] + then + continue + fi + # If the '-S syscall' doesn't belong to current group add it to the new list + # (together with adding '-S' delimiter back for each of such item found) + if grep -q -v -- "$group" <<< "$syscall_arg" + then + new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" + fi + done + # Replace original '-S syscall' list with the new one for this rule + updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} + # Squeeze repeated whitespace characters in rule definition (if any) into one + updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') + # 3) Append the modified / filtered rule again into audit.rules + # (but only in case it's not present yet to prevent duplicate definitions) + if ! grep -q -- "$updated_rule" "$audit_file" + then + echo "$updated_rule" >> "$audit_file" + fi + fi + else + # $audit_file already contains the expected rule form for this + # architecture & key => don't insert it second time + append_expected_rule=1 + fi + done + + # We deleted all rules that were subset of the expected one for this arch & key. + # Also isolated rules containing system calls not from this system calls group. + # Now append the expected rule if it's not present in $audit_file yet + if [[ ${append_expected_rule} -eq "0" ]] + then + echo "$full_rule" >> "$audit_file" + fi +done + +return $retval + +} + # Function to fix audit file system object watch rule for given path: +# * if rule exists, also verifies the -w bits match the requirements +# * if rule doesn't exist yet, appends expected rule form to $files_to_inspect +# audit rules file, depending on the tool which was used to load audit rules +# +# Expects four arguments (each of them is required) in the form of: +# * audit tool tool used to load audit rules, +# either 'auditctl', or 'augenrules' +# * path value of -w audit rule's argument +# * required access bits value of -p audit rule's argument +# * key value of -k audit rule's argument +# +# Example call: +# +# fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" +# +function fix_audit_watch_rule { + +# Load function arguments into local variables +local tool="$1" +local path="$2" +local required_access_bits="$3" +local key="$4" + +# Check sanity of the input +if [ $# -ne "4" ] +then + echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" + echo "Aborting." + exit 1 +fi + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +declare -a files_to_inspect +files_to_inspect=() + +# Check sanity of the specified audit tool +if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] +then + echo "Unknown audit rules loading tool: $1. Aborting." + echo "Use either 'auditctl' or 'augenrules'!" + exit 1 +# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# into the list of files to be inspected +elif [ "$tool" == 'auditctl' ] +then + files_to_inspect+=('/etc/audit/audit.rules') +# If the audit is 'augenrules', then check if rule is already defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. +# If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. +elif [ "$tool" == 'augenrules' ] +then + readarray -t matches < <(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules) + + # For each of the matched entries + for match in "${matches[@]}" + do + # Extract filepath from the match + rulesd_audit_file=$(echo $match | cut -f1 -d ':') + # Append that path into list of files for inspection + files_to_inspect+=("$rulesd_audit_file") + done + # Case when particular audit rule isn't defined yet + if [ "${#files_to_inspect[@]}" -eq "0" ] + then + # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection + local key_rule_file="/etc/audit/rules.d/$key.rules" + # If the $key.rules file doesn't exist yet, create it with correct permissions + if [ ! -e "$key_rule_file" ] + then + touch "$key_rule_file" + chmod 0640 "$key_rule_file" + fi + + files_to_inspect+=("$key_rule_file") + fi +fi + +# Finally perform the inspection and possible subsequent audit rule +# correction for each of the files previously identified for inspection +for audit_rules_file in "${files_to_inspect[@]}" +do + + # Check if audit watch file system object rule for given path already present + if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file" + then + # Rule is found => verify yet if existing rule definition contains + # all of the required access type bits + + # Escape slashes in path for use in sed pattern below + local esc_path=${path//$'/'/$'\/'} + # Define BRE whitespace class shortcut + local sp="[[:space:]]" + # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule + current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file") + # Split required access bits string into characters array + # (to check bit's presence for one bit at a time) + for access_bit in $(echo "$required_access_bits" | grep -o .) + do + # For each from the required access bits (e.g. 'w', 'a') check + # if they are already present in current access bits for rule. + # If not, append that bit at the end + if ! grep -q "$access_bit" <<< "$current_access_bits" + then + # Concatenate the existing mask with the missing bit + current_access_bits="$current_access_bits$access_bit" + fi + done + # Propagate the updated rule's access bits (original + the required + # ones) back into the /etc/audit/audit.rules file for that rule + sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file" + else + # Rule isn't present yet. Append it at the end of $audit_rules_file file + # with proper key + + echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" + fi +done +} + function include_merge_files_by_lines { + : +} + +# 1: Filename of the "master" file +# 2: Filename of the newly created file +function create_empty_file_like { + local lines_count + lines_count=$(cat "$1" | wc -l) + for _ in $(seq 1 "$lines_count"); do + printf '\n' >> "$2" + done +} + + +# 1: Filename of the "master" file +# 2: Filename of sample flie +function second_file_is_same_except_newlines { + local lines_of_master lines_of_sample len_of_master line_number i + readarray -t lines_of_master < "$1" + readarray -t lines_of_sample < "$2" + + len_of_master="${#lines_of_master[@]}" + if test "$len_of_master" != "${#lines_of_sample[@]}"; then + echo "Files '$1' and '$2' have different number of lines, $len_of_master and ${#lines_of_sample[@]} respectively." + return 1 + fi + + for line_number in $(seq 1 "$len_of_master"); do + i=$((line_number - 1)) + test -n "${lines_of_sample[$i]}" || continue + if test "${lines_of_master[$i]}" != "${lines_of_sample[$i]}"; then + echo "Line $line_number is different in files '$1' and '$2'." + return 1 + fi + done +} + + +# 1: Filename of the "master" file +# 2: Filename of sample flie +# 3: List of indices (1-based, space-separated string) +function merge_first_lines_to_second_on_indices { + local lines_of_master lines_of_sample line_number i + test -f "$2" || create_empty_file_like "$1" "$2" + + readarray -t lines_of_master < "$1" + readarray -t lines_of_sample < "$2" + + error_msg="$(second_file_is_same_except_newlines "$1" "$2")" + if test $? != 0; then + echo "Error merging lines into '$2': $error_msg" >&2 + return 1 + fi + + for line_number in $3; do + i=$((line_number - 1)) + lines_of_sample[$i]="${lines_of_master[$i]}" + done + + printf "%s\n" "${lines_of_sample[@]}" > "$2" +} + function include_mount_options_functions { + : +} + +# $1: type of filesystem +# $2: new mount point option +# $3: filesystem of new mount point (used when adding new entry in fstab) +# $4: mount type of new mount point (used when adding new entry in fstab) +function ensure_mount_option_for_vfstype { + local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() + readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') + + for _vfstype_point in "${_vfstype_points[@]}" + do + ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type" + done +} + +# $1: mount point +# $2: new mount point option +# $3: device or virtual string (used when adding new entry in fstab) +# $4: mount type of mount point (used when adding new entry in fstab) +function ensure_mount_option_in_fstab { + local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4 + local _mount_point_match_regexp="" _previous_mount_opts="" + _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" + + if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then + # runtime opts without some automatic kernel/userspace-added defaults + _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ + | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") + [ "$_previous_mount_opts" ] && _previous_mount_opts+="," + echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab + elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then + _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') + sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab + fi +} + +# $1: mount point +function get_mount_point_regexp { + printf "[[:space:]]%s[[:space:]]" "$1" +} + +# $1: mount point +function assert_mount_point_in_fstab { + local _mount_point_match_regexp + _mount_point_match_regexp="$(get_mount_point_regexp "$1")" + grep "$_mount_point_match_regexp" -q /etc/fstab \ + || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } +} + +# $1: mount point +function remove_defaults_from_fstab_if_overriden { + local _mount_point_match_regexp + _mount_point_match_regexp="$(get_mount_point_regexp "$1")" + if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults," + then + sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab + fi +} + +# $1: mount point +function ensure_partition_is_mounted { + local _mount_point="$1" + mkdir -p "$_mount_point" || return 1 + if mountpoint -q "$_mount_point"; then + mount -o remount --target "$_mount_point" + else + mount --target "$_mount_point" + fi +} + # Function to fix syscall audit rule for given system call. It is +# based on example audit syscall rule definitions as outlined in +# /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit +# package. It will combine multiple system calls belonging to the same +# syscall group into one audit rule (rather than to create audit rule per +# different system call) to avoid audit infrastructure performance penalty +# in the case of 'one-audit-rule-definition-per-one-system-call'. See: +# +# https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html +# +# for further details. +# +# Expects five arguments (each of them is required) in the form of: +# * audit tool tool used to load audit rules, +# either 'auditctl', or 'augenrules +# * audit rules' pattern audit rule skeleton for same syscall +# * syscall group greatest common string this rule shares +# with other rules from the same group +# * architecture architecture this rule is intended for +# * full form of new rule to add expected full form of audit rule as to be +# added into audit.rules file +# +# Note: The 2-th up to 4-th arguments are used to determine how many existing +# audit rules will be inspected for resemblance with the new audit rule +# (5-th argument) the function is going to add. The rule's similarity check +# is performed to optimize audit.rules definition (merge syscalls of the same +# group into one rule) to avoid the "single-syscall-per-audit-rule" performance +# penalty. +# +# Example call: +# +# See e.g. 'audit_rules_file_deletion_events.sh' remediation script +# +function fix_audit_syscall_rule { + +# Load function arguments into local variables +local tool="$1" +local pattern="$2" +local group="$3" +local arch="$4" +local full_rule="$5" + +# Check sanity of the input +if [ $# -ne "5" ] +then + echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" + echo "Aborting." + exit 1 +fi + +# Create a list of audit *.rules files that should be inspected for presence and correctness +# of a particular audit rule. The scheme is as follows: +# +# ----------------------------------------------------------------------------------------- +# Tool used to load audit rules | Rule already defined | Audit rules file to inspect | +# ----------------------------------------------------------------------------------------- +# auditctl | Doesn't matter | /etc/audit/audit.rules | +# ----------------------------------------------------------------------------------------- +# augenrules | Yes | /etc/audit/rules.d/*.rules | +# augenrules | No | /etc/audit/rules.d/$key.rules | +# ----------------------------------------------------------------------------------------- +# +declare -a files_to_inspect + +retval=0 + +# First check sanity of the specified audit tool +if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] +then + echo "Unknown audit rules loading tool: $1. Aborting." + echo "Use either 'auditctl' or 'augenrules'!" + return 1 +# If audit tool is 'auditctl', then add '/etc/audit/audit.rules' +# file to the list of files to be inspected +elif [ "$tool" == 'auditctl' ] +then + files_to_inspect+=('/etc/audit/audit.rules' ) +# If audit tool is 'augenrules', then check if the audit rule is defined +# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection +# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection +elif [ "$tool" == 'augenrules' ] +then + # Extract audit $key from audit rule so we can use it later + matches=() + key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') + readarray -t matches < <(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules) + if [ $? -ne 0 ] + then + retval=1 + fi + for match in "${matches[@]}" + do + files_to_inspect+=("${match}") + done + # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet + if [ ${#files_to_inspect[@]} -eq "0" ] + then + file_to_inspect="/etc/audit/rules.d/$key.rules" + files_to_inspect=("$file_to_inspect") + if [ ! -e "$file_to_inspect" ] + then + touch "$file_to_inspect" + chmod 0640 "$file_to_inspect" + fi + fi +fi + +# +# Indicator that we want to append $full_rule into $audit_file by default +local append_expected_rule=0 + +for audit_file in "${files_to_inspect[@]}" +do + # Filter existing $audit_file rules' definitions to select those that: + # * follow the rule pattern, and + # * meet the hardware architecture requirement, and + # * are current syscall group specific + readarray -t existing_rules < <(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file") + if [ $? -ne 0 ] + then + retval=1 + fi + + # Process rules found case-by-case + for rule in "${existing_rules[@]}" + do + # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) + if [ "${rule}" != "${full_rule}" ] + then + # If so, isolate just '(-S \w)+' substring of that rule + rule_syscalls=$(echo "$rule" | grep -o -P '(-S \w+ )+') + # Check if list of '-S syscall' arguments of that rule is subset + # of '-S syscall' list of expected $full_rule + if grep -q -- "$rule_syscalls" <<< "$full_rule" + then + # Rule is covered (i.e. the list of -S syscalls for this rule is + # subset of -S syscalls of $full_rule => existing rule can be deleted + # Thus delete the rule from audit.rules & our array + sed -i -e "\;${rule};d" "$audit_file" + if [ $? -ne 0 ] + then + retval=1 + fi + existing_rules=("${existing_rules[@]//$rule/}") + else + # Rule isn't covered by $full_rule - it besides -S syscall arguments + # for this group contains also -S syscall arguments for other syscall + # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' + # since 'lchown' & 'fchownat' share 'chown' substring + # Therefore: + # * 1) delete the original rule from audit.rules + # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) + # * 2) delete the -S syscall arguments for this syscall group, but + # keep those not belonging to this syscall group + # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' + # * 3) append the modified (filtered) rule again into audit.rules + # if the same rule not already present + # + # 1) Delete the original rule + sed -i -e "\;${rule};d" "$audit_file" + if [ $? -ne 0 ] + then + retval=1 + fi + + # 2) Delete syscalls for this group, but keep those from other groups + # Convert current rule syscall's string into array splitting by '-S' delimiter + IFS_BKP="$IFS" + IFS=$'-S' + read -a rule_syscalls_as_array <<< "$rule_syscalls" + # Reset IFS back to default + IFS="$IFS_BKP" + # Splitting by "-S" can't be replaced by the readarray functionality easily + + # Declare new empty string to hold '-S syscall' arguments from other groups + new_syscalls_for_rule='' + # Walk through existing '-S syscall' arguments + for syscall_arg in "${rule_syscalls_as_array[@]}" + do + # Skip empty $syscall_arg values + if [ "$syscall_arg" == '' ] + then + continue + fi + # If the '-S syscall' doesn't belong to current group add it to the new list + # (together with adding '-S' delimiter back for each of such item found) + if grep -q -v -- "$group" <<< "$syscall_arg" + then + new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" + fi + done + # Replace original '-S syscall' list with the new one for this rule + updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} + # Squeeze repeated whitespace characters in rule definition (if any) into one + updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') + # 3) Append the modified / filtered rule again into audit.rules + # (but only in case it's not present yet to prevent duplicate definitions) + if ! grep -q -- "$updated_rule" "$audit_file" + then + echo "$updated_rule" >> "$audit_file" + fi + fi + else + # $audit_file already contains the expected rule form for this + # architecture & key => don't insert it second time + append_expected_rule=1 + fi + done + + # We deleted all rules that were subset of the expected one for this arch & key. + # Also isolated rules containing system calls not from this system calls group. + # Now append the expected rule if it's not present in $audit_file yet + if [[ ${append_expected_rule} -eq "0" ]] + then + echo "$full_rule" >> "$audit_file" + fi +done + +return $retval + +} + + +# Function to perform remediation for the 'adjtimex', 'settimeofday', and 'stime' audit +# system calls on RHEL, Fedora or OL systems. +# Remediation performed for both possible tools: 'auditctl' and 'augenrules'. +# +# Note: 'stime' system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) +# therefore excluded from the list of time group system calls to be audited on this arch +# +# Example Call: +# +# perform_audit_adjtimex_settimeofday_stime_remediation +# +function perform_audit_adjtimex_settimeofday_stime_remediation { + +# Retrieve hardware architecture of the underlying system +[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") + +for ARCH in "${RULE_ARCHS[@]}" +do + + PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" + # Create expected audit group and audit rule form for particular system call & architecture + if [ ${ARCH} = "b32" ] + then + # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) + # so append it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\|stime\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" + elif [ ${ARCH} = "b64" ] + then + # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) + # therefore don't add it to the list of time group system calls to be audited + GROUP="\(adjtimex\|settimeofday\)" + FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" + fi + # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' + fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" + fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" +done + +} + # Function to perform remediation for 'audit_rules_privileged_commands' rule +# +# Expects two arguments: +# +# audit_tool tool used to load audit rules +# One of 'auditctl' or 'augenrules' +# +# min_auid Minimum original ID the user logged in with +# +# Example Call(s): +# +# perform_audit_rules_privileged_commands_remediation "auditctl" "500" +# perform_audit_rules_privileged_commands_remediation "augenrules" "1000" +# +function perform_audit_rules_privileged_commands_remediation { +# +# Load function arguments into local variables +local tool="$1" +local min_auid="$2" + +# Check sanity of the input +if [ $# -ne "2" ] +then + echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" + echo "Aborting." + exit 1 +fi + +declare -a files_to_inspect=() + +# Check sanity of the specified audit tool +if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] +then + echo "Unknown audit rules loading tool: $1. Aborting." + echo "Use either 'auditctl' or 'augenrules'!" + exit 1 +# If the audit tool is 'auditctl', then: +# * add '/etc/audit/audit.rules'to the list of files to be inspected, +# * specify '/etc/audit/audit.rules' as the output audit file, where +# missing rules should be inserted +elif [ "$tool" == 'auditctl' ] +then + files_to_inspect=("/etc/audit/audit.rules") + output_audit_file="/etc/audit/audit.rules" +# +# If the audit tool is 'augenrules', then: +# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected +# (split by newline), +# * specify /etc/audit/rules.d/privileged.rules' as the output file, where +# missing rules should be inserted +elif [ "$tool" == 'augenrules' ] +then + readarray -t files_to_inspect < <(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print) + output_audit_file="/etc/audit/rules.d/privileged.rules" +fi + +# Obtain the list of SUID/SGID binaries on the particular system (split by newline) +# into privileged_binaries array +privileged_binaries=() +readarray -t privileged_binaries < <(find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2> /dev/null) + +# Keep list of SUID/SGID binaries that have been already handled within some previous iteration +declare -a sbinaries_to_skip=() + +# For each found sbinary in privileged_binaries list +for sbinary in "${privileged_binaries[@]}" +do + + # Check if this sbinary wasn't already handled in some of the previous sbinary iterations + # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) + if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] + then + # If so, don't process it second time & go to process next sbinary + continue + fi + + # Reset the counter of inspected files when starting to check + # presence of existing audit rule for new sbinary + local count_of_inspected_files=0 + + # Define expected rule form for this binary + expected_rule="-a always,exit -F path=${sbinary} -F auid>=${min_auid} -F auid!=unset -F key=privileged" + + # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary + if [[ ${#files_to_inspect[@]} -eq 0 ]]; then + echo "$expected_rule" >> "$output_audit_file" + continue + fi + + # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below + sbinary_esc=${sbinary//$'/'/$'\/'} + + # For each audit rules file from the list of files to be inspected + for afile in "${files_to_inspect[@]}" + do + + # Search current audit rules file's content for match. Match criteria: + # * existing rule is for the same SUID/SGID binary we are currently processing (but + # can contain multiple -F path= elements covering multiple SUID/SGID binaries) + # * existing rule contains all arguments from expected rule form (though can contain + # them in arbitrary order) + + base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d' \ + -e '/-F path=[^[:space:]]\+/!d' \ + -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d' \ + -e '/-k \|-F key=/!d' "$afile") + + # Increase the count of inspected files for this sbinary + count_of_inspected_files=$((count_of_inspected_files + 1)) + + + # Search current audit rules file's content for presence of rule pattern for this sbinary + if [[ $base_search ]] + then + + # Current audit rules file already contains rule for this binary => + # Store the exact form of found rule for this binary for further processing + concrete_rule=$base_search + + # Select all other SUID/SGID binaries possibly also present in the found rule + + readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule") + handled_sbinaries=("${handled_sbinaries[@]//-F path=/}") + + # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates + readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du) + + # if there is a -F perm flag, remove it + if grep -q '.*-F\s\+perm=[rwxa]\+.*' <<< "$concrete_rule"; then + + # Separate concrete_rule into three sections using hash '#' + # sign as a delimiter around rule's permission section borders + # note that the trailing space after perm flag is captured because there would be + # two consecutive spaces after joining remaining parts of the rule together + concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\ \?\)\+/\1#\2#/p")" + + # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter + rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule") + rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule") + rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule") + + # Remove permissions section from existing rule in the file + sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${rule_tail}#" "$afile" + fi + # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: + # + # * in the "auditctl" mode of operation insert particular rule each time + # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), + # + # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already + # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined + # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) + # + elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] + then + + # Check if this sbinary wasn't already handled in some of the previous afile iterations + # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) + if [[ ! $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] + then + # Current audit rules file's content doesn't contain expected rule for this + # SUID/SGID binary yet => append it + echo "$expected_rule" >> "$output_audit_file" + fi + + continue + fi + + done + +done +} + # The populate function isn't directly used by SSG at the moment but it can be +# used for testing purposes and will be used in SSG Testsuite in the future. + +function populate { +# code to populate environment variables needed (for unit testing) +if [ -z "${!1}" ]; then + echo "$1 is not defined. Exiting." + exit +fi +} + # Function to replace configuration setting in config file or add the configuration setting if +# it does not exist. +# +# Expects arguments: +# +# config_file: Configuration file that will be modified +# key: Configuration option to change +# value: Value of the configuration option to change +# cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists +# format: The printf-like format string that will be given stripped key and value as arguments, +# so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) +# +# Optional arugments: +# +# format: Optional argument to specify the format of how key/value should be +# modified/appended in the configuration file. The default is key = value. +# +# Example Call(s): +# +# With default format of 'key = value': +# replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' +# +# With custom key/value format: +# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' +# +# With a variable: +# replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' +# +function replace_or_append { + local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' + local config_file=$1 + local key=$2 + local value=$3 + local cce=$4 + local format=$5 + + if [ "$case_insensitive_mode" = yes ]; then + sed_case_insensitive_option="i" + grep_case_insensitive_option="-i" + fi + [ -n "$format" ] || format="$default_format" + # Check sanity of the input + [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } + + # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. + # Otherwise, regular sed command will do. + sed_command=('sed' '-i') + if test -L "$config_file"; then + sed_command+=('--follow-symlinks') + fi + + # Test that the cce arg is not empty or does not equal @CCENUM@. + # If @CCENUM@ exists, it means that there is no CCE assigned. + if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then + cce="${cce}" + else + cce="CCE" + fi + + # Strip any search characters in the key arg so that the key can be replaced without + # adding any search characters to the config file. + stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") + + # shellcheck disable=SC2059 + printf -v formatted_output "$format" "$stripped_key" "$value" + + # If the key exists, change it. Otherwise, add it to the config_file. + # We search for the key string followed by a word boundary (matched by \>), + # so if we search for 'setting', 'setting2' won't match. + if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then + "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" + else + # \n is precaution for case where file ends without trailing newline + printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" + printf '%s\n' "$formatted_output" >> "$config_file" + fi +} + function set_faillock_option_to_value_in_pam_file { + # If invoked with no arguments, exit. This is an intentional behavior. + [ $# -gt 1 ] || return 0 + [ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments" + [ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments" + local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4" + # pam_faillock.so already present? + if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then + + # pam_faillock.so present, is the option present? + if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then + + # both pam_faillock.so & option present, just correct option to the right value + sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" + sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" + + # pam_faillock.so present, but the option not yet + else + + # append correct option value to appropriate places + sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile" + sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile" + fi + + # pam_faillock.so not present yet + else + test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile" + # insert pam_faillock.so preauth & authfail rows with proper value of the option in question + fi +} + 512M + 1h + FIPS + 2592000 + root + 0022 + 900 + 0 + ^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$ + ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + SHA512 + 5 + 3 + 900 + 0 + 4000000 + 5 + -1 + 8 + -1 + 4 + 3 + 3 + 12 + -1 + 3 + -1 + default + 60 + 7 + 15 + 7 + 5000 + 35 + 4 + 1 + 600 + 027 + single + single + logcollector + root + single + single + single + data + 6 + rotate + 5 + 100 + email + 022 + /dev/cdrom + logcollector + root + root + 0 + 0 + 1 + 1 + 0 + 0 + 0 + 1 + 1 + 0 + 1 + 1 + 500 + 1 + 1 + no + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 1 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 1 + 0 + targeted + enforcing + false + false + true + false + false + true + false + false + false + false + true + false + false + false + false + false + false + false + false + false + false + false + false + false + false + true + false + false + false + false + false + false + true + false + false + false + false + false + false + true + false + true + false + false + false + false + false + false + true + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + true + false + true + true + false + false + true + false + false + false + false + false + false + false + false + false + false + false + false + false + false + true + false + false + false + true + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + true + false + false + true + false + false + true + true + false + false + false + false + false + true + false + false + false + false + false + true + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + true + true + false + false + true + false + true + true + false + false + false + false + false + false + false + false + false + false + true + false + false + true + true + false + false + true + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + false + true + false + false + false + true + false + true + false + false + true + false + true + false + false + false + false + false + false + false + false + false + true + true + false + false + false + false + true + false + false + true + false + true + false + false + false + false + false + false + true + true + true + false + false + false + false + false + false + true + false + false + false + true + true + false + false + false + false + false + false + false + false + false + false + false + true + false + false + false + false + false + false + false + false + false + true + true + true + true + true + true + false + false + false + false + false + false + false + false + loopback-only + smtp.$mydomain + system.administrator@mail.mil + changemero + changemerw + warn + 100 + ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$ + 0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org + 10 + /var/lib/tftpboot + 300 + 180 + /etc/openldap/cacerts + public + aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se + hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com + 300 + 22 + 4 + 0 + 10 + 0 + 512M + 1h + no + sandbox + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + + pass + + + + + + pass + + + + + + notselected + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notselected + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + pass + + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + + pass + + + + + + pass + + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + pass + + + + + + + pass + + + + + + pass + + + + + + + fail + + + + + + + fail + + + + + + + pass + + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + + fail + + + + + + + pass + + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + pass + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + notapplicable + + + notapplicable + + + notapplicable + + + notapplicable + + + notapplicable + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + fail + + + + + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + notapplicable + + + notapplicable + + + notapplicable + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + pass + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + notapplicable + + + notapplicable + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + notchecked + No candidate or applicable check found. + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + pass + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + fail + + + + + + fail + + + + + + pass + + + + + + notchecked + No candidate or applicable check found. + + + pass + + + + + + fail + + + + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + + + + pass + + + + + + + fail + + + + + + + fail + + + + + + + pass + + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + + notchecked + No candidate or applicable check found. + + + fail + + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + + pass + + + + + + + + pass + + + + + + + pass + + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + + + pass + + + + + + + pass + + + + + + + pass + + + + + + + fail + + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + fail + + + + + + + + fail + + + + + 43.542599 + + + + + + + + cpe:/a:open-scap:oscap + 1.3.5 + 5.11 + 2021-08-16T15:11:58 + + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 56], python: 3.9.5 + 5.11 + 2021-05-26T00:00:00 + + + + + Disable X Windows Startup By Setting Default Target + + Fedora + + + Ensure that the default runlevel target is set to multi-user.target. + + + + + + + + Deactivate Wireless Network Interfaces + + Fedora + + + All wireless interfaces should be disabled. + + + + + + + + Value of 'var_umask_for_daemons' variable represented as octal number + + Fedora + + + Value of 'var_umask_for_daemons' variable represented as octal number + + + + + + + + Value of 'var_removable_partition' variable is set to '/dev/cdrom' + + Fedora + + + Verify if value of 'var_removable_partition' variable is set + to '/dev/cdrom' + + + + + + + + Value of 'var_accounts_user_umask' variable represented as octal number + + Fedora + + + Value of 'var_accounts_user_umask' variable represented as octal number + + + + + + + + Enforce usage of pam_wheel for su authentication + + Fedora + + + Only members of the wheel group should be able to authenticate through the su command. + + + + + + + + Check that file storing USBGuard rules exists and is not empty + + Fedora + + + Check that file storing USBGuard rules at /etc/usbguard/rules.conf exists and is not empty + + + + + + + + Authorize USB hubs in USBGuard daemon + + Fedora + + + Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists. + + + + + + + + Authorize Human Interface Devices and USB hubs in USBGuard daemon + + Fedora + + + Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists. + + + + + + + + Authorize Human Interface Devices in USBGuard daemon + + Fedora + + + Check that /etc/usbguard/rules.conf exists and that it contains at least one non white space character. + + + + + + + + Set Daemon Umask + + Fedora + + + The daemon umask should be set as appropriate + + + + + + + + + Enable dnf-automatic Timer + + Fedora + + + The dnf-automatic timer should be enabled if possible. + + + + + + + + + + + + Test for x86_64 Architecture + + Fedora + + + Generic test for x86_64 architecture to be used by other tests + + + + + + + + Test for x86 Architecture + + Fedora + + + Generic test for x86 architecture to be used by other tests + + + + + + + + Test for s390_64 Architecture + + Fedora + + + Generic test for s390_64 architecture to be used by other tests + + + + + + + + Test for PPC and PPCLE Architecture + + Fedora + + + Generic test for PPC PPC64LE architecture to be used by other tests + + + + + + + + + Test for aarch_64 Architecture + + Fedora + + + Generic test for aarch_64 architecture to be used by other tests + + + + + + + + Test for 64-bit Architecture + + Fedora + + + Generic test for 64-bit architectures to be used by other tests + + + + + + + + + + + UEFI system boot mode check + + Fedora + + + + Check if system boot mode is UEFI. + + + + + + + + Non-UEFI system boot mode check + + Fedora + + + + Check if System boot mode is non-UEFI. + + + + + + + + Prevent applications from mapping low portion of virtual memory + + Fedora + + + The 'vm.mmap_min_addr' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable the use of user namespaces + + Fedora + + + The 'user.max_user_namespaces' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Prevent applications from mapping low portion of virtual memory + + Fedora + + + The kernel 'vm.mmap_min_addr' parameter should be set to '65536' + + + + + + + + + + + Disable the use of user namespaces + + Fedora + + + The kernel 'user.max_user_namespaces' parameter should be set to '0' + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + + The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to '1' + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + + Fedora + + + The kernel 'net.ipv4.ip_local_port_range' parameter should be set to '32768 65535' + + + + + + + + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Fedora + + + The kernel 'net.ipv4.ip_forward' parameter should be set to '0' + + + + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Fedora + + + The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to '0' + + + + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Fedora + + + The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to '0' + + + + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Fedora + + + the appropriate value in the system configuration. + + + + + + + + + + + Harden the operation of the BPF just-in-time compiler + + Fedora + + + The kernel 'net.core.bpf_jit_harden' parameter should be set to '2' + + + + + + + + + + + Restrict usage of ptrace to descendant processes + + Fedora + + + The kernel 'kernel.yama.ptrace_scope' parameter should be set to '1' + + + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + Fedora + + + The kernel 'kernel.unprivileged_bpf_disabled' parameter should be set to '1' + + + + + + + + + + + Disallow magic SysRq key + + Fedora + + + The kernel 'kernel.sysrq' parameter should be set to '0' + + + + + + + + + + + Enable Randomized Layout of Virtual Address Space + + Fedora + + + The kernel 'kernel.randomize_va_space' parameter should be set to '2' + + + + + + + + + + + Configure maximum number of process identifiers + + Fedora + + + The kernel 'kernel.pid_max' parameter should be set to '65536' + + + + + + + + + + + Disallow kernel profiling by unprivileged users + + Fedora + + + The kernel 'kernel.perf_event_paranoid' parameter should be set to '2' + + + + + + + + + + + Limit sampling frequency of the Perf system + + Fedora + + + The kernel 'kernel.perf_event_max_sample_rate' parameter should be set to '1' + + + + + + + + + + + Limit CPU consumption of the Perf system + + Fedora + + + The kernel 'kernel.perf_cpu_time_max_percent' parameter should be set to '1' + + + + + + + + + + + Disable loading and unloading of kernel modules + + Fedora + + + The kernel 'kernel.modules_disabled' parameter should be set to '1' + + + + + + + + + + + Restrict Exposed Kernel Pointer Addresses Access + + Fedora + + + The kernel 'kernel.kptr_restrict' parameter should be set to '1' + + + + + + + + + + + Disable Kernel Image Loading + + Fedora + + + The kernel 'kernel.kexec_load_disabled' parameter should be set to '1' + + + + + + + + + + + Restrict Access to Kernel Message Buffer + + Fedora + + + The kernel 'kernel.dmesg_restrict' parameter should be set to '1' + + + + + + + + + + + Disable storing core dumps + + Fedora + + + The kernel 'kernel.core_pattern' parameter should be set to '|/bin/false' + + + + + + + + + + + Disable Core Dumps for SUID programs + + Fedora + + + The kernel 'fs.suid_dumpable' parameter should be set to '0' + + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + Fedora + + + The kernel 'fs.protected_symlinks' parameter should be set to '1' + + + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + Fedora + + + The kernel 'fs.protected_hardlinks' parameter should be set to '1' + + + + + + + + + + + Prevent applications from mapping low portion of virtual memory + + Fedora + + + The kernel 'vm.mmap_min_addr' parameter should be set to '65536' + + + + + + + + Disable the use of user namespaces + + Fedora + + + The kernel 'user.max_user_namespaces' parameter should be set to '0' + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + + The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to '1' + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Set Kernel Parameter to Increase Local Port Range + + Fedora + + + The kernel 'net.ipv4.ip_local_port_range' parameter should be set to '32768 65535' + + + + + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Fedora + + + The kernel 'net.ipv4.ip_forward' parameter should be set to '0' + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Fedora + + + The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to '0' + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Fedora + + + The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to '0' + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Fedora + + + the appropriate value in the system runtime. + + + + + + + + Harden the operation of the BPF just-in-time compiler + + Fedora + + + The kernel 'net.core.bpf_jit_harden' parameter should be set to '2' + + + + + + + + Restrict usage of ptrace to descendant processes + + Fedora + + + The kernel 'kernel.yama.ptrace_scope' parameter should be set to '1' + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + Fedora + + + The kernel 'kernel.unprivileged_bpf_disabled' parameter should be set to '1' + + + + + + + + Disallow magic SysRq key + + Fedora + + + The kernel 'kernel.sysrq' parameter should be set to '0' + + + + + + + + Enable Randomized Layout of Virtual Address Space + + Fedora + + + The kernel 'kernel.randomize_va_space' parameter should be set to '2' + + + + + + + + Configure maximum number of process identifiers + + Fedora + + + The kernel 'kernel.pid_max' parameter should be set to '65536' + + + + + + + + Disallow kernel profiling by unprivileged users + + Fedora + + + The kernel 'kernel.perf_event_paranoid' parameter should be set to '2' + + + + + + + + Limit sampling frequency of the Perf system + + Fedora + + + The kernel 'kernel.perf_event_max_sample_rate' parameter should be set to '1' + + + + + + + + Limit CPU consumption of the Perf system + + Fedora + + + The kernel 'kernel.perf_cpu_time_max_percent' parameter should be set to '1' + + + + + + + + Disable loading and unloading of kernel modules + + Fedora + + + The kernel 'kernel.modules_disabled' parameter should be set to '1' + + + + + + + + Restrict Exposed Kernel Pointer Addresses Access + + Fedora + + + The kernel 'kernel.kptr_restrict' parameter should be set to '1' + + + + + + + + Disable Kernel Image Loading + + Fedora + + + The kernel 'kernel.kexec_load_disabled' parameter should be set to '1' + + + + + + + + Restrict Access to Kernel Message Buffer + + Fedora + + + The kernel 'kernel.dmesg_restrict' parameter should be set to '1' + + + + + + + + Disable storing core dumps + + Fedora + + + The kernel 'kernel.core_pattern' parameter should be set to '|/bin/false' + + + + + + + + Disable Core Dumps for SUID programs + + Fedora + + + The kernel 'fs.suid_dumpable' parameter should be set to '0' + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + Fedora + + + The kernel 'fs.protected_symlinks' parameter should be set to '1' + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + Fedora + + + The kernel 'fs.protected_hardlinks' parameter should be set to '1' + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces By Default + + Fedora + + + The kernel 'net.ipv6.conf.default.router_solicitations' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces By Default + + Fedora + + + The kernel 'net.ipv6.conf.default.max_addresses' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces By Default + + Fedora + + + The kernel 'net.ipv6.conf.default.autoconf' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + The kernel 'net.ipv6.conf.default.accept_ra_rtr_pref' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + The kernel 'net.ipv6.conf.default.accept_ra_pinfo' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces By Default + + Fedora + + + The kernel 'net.ipv6.conf.default.accept_ra_defrtr' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Disable Accepting Router Advertisements on all IPv6 Interfaces by Default + + Fedora + + + The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Denying Router Solicitations on All IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.all.router_solicitations' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Maximum Number of Autoconfigured Addresses on All IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.all.max_addresses' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + + The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Auto Configuration on All IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.all.autoconf' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.all.accept_ra_rtr_pref' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.all.accept_ra_pinfo' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Configure Accepting Default Router in Router Advertisements on All IPv6 Interfaces + + Fedora + + + The kernel 'net.ipv6.conf.all.accept_ra_defrtr' parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + + + + Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces + + Fedora + + + The 'net.ipv4.tcp_syncookies' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Set Kernel Parameter to Increase Local Port Range + + Fedora + + + The 'net.ipv4.ip_local_port_range' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces + + Fedora + + + The 'net.ipv4.ip_forward' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces + + Fedora + + + The 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces + + Fedora + + + The 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default + + Fedora + + + The 'net.ipv4.conf.default.send_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Configure Kernel Parameter for Accepting Secure Redirects By Default + + Fedora + + + The 'net.ipv4.conf.default.secure_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default + + Fedora + + + The 'net.ipv4.conf.default.rp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default + + Fedora + + + The 'net.ipv4.conf.default.log_martians' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default + + Fedora + + + The 'net.ipv4.conf.default.accept_source_route' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.default.accept_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.all.send_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.all.secure_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.all.rp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.all.log_martians' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.all.accept_source_route' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Accepting ICMP Redirects for All IPv4 Interfaces + + Fedora + + + The 'net.ipv4.conf.all.accept_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Harden the operation of the BPF just-in-time compiler + + Fedora + + + The 'net.core.bpf_jit_harden' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Restrict usage of ptrace to descendant processes + + Fedora + + + The 'kernel.yama.ptrace_scope' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Access to Network bpf() Syscall From Unprivileged Processes + + Fedora + + + The 'kernel.unprivileged_bpf_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disallow magic SysRq key + + Fedora + + + The 'kernel.sysrq' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Randomized Layout of Virtual Address Space + + Fedora + + + The 'kernel.randomize_va_space' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Configure maximum number of process identifiers + + Fedora + + + The 'kernel.pid_max' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disallow kernel profiling by unprivileged users + + Fedora + + + The 'kernel.perf_event_paranoid' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Limit sampling frequency of the Perf system + + Fedora + + + The 'kernel.perf_event_max_sample_rate' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Limit CPU consumption of the Perf system + + Fedora + + + The 'kernel.perf_cpu_time_max_percent' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable loading and unloading of kernel modules + + Fedora + + + The 'kernel.modules_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Restrict Exposed Kernel Pointer Addresses Access + + Fedora + + + The 'kernel.kptr_restrict' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Kernel Image Loading + + Fedora + + + The 'kernel.kexec_load_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Kernel Runtime Parameter IPv6 Check + + Fedora + + + Disables IPv6 for all network interfaces. + + + + + + + + + + + Enable ExecShield via sysctl + + Fedora + + + The kernel runtime parameter 'kernel.exec-shield' should not be disabled and set to 1 on 32-bit systems. + + + + + + + + + + + + + + + + Restrict Access to Kernel Message Buffer + + Fedora + + + The 'kernel.dmesg_restrict' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable storing core dumps + + Fedora + + + The 'kernel.core_pattern' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Disable Core Dumps for SUID programs + + Fedora + + + The 'fs.suid_dumpable' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Symlinks + + Fedora + + + The 'fs.protected_symlinks' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Enable Kernel Parameter to Enforce DAC on Hardlinks + + Fedora + + + The 'fs.protected_hardlinks' kernel parameter should be set to the appropriate value in both system configuration and system runtime. + + + + + + + + + Set kernel parameter 'crypto.fips_enabled' to 1 + + Fedora + + + The kernel 'crypto.fips_enabled' parameter should be set to '1' in system runtime. + + + + + + + + Ensure invoking users password for privilege escalation when using sudo + + Fedora + + + Ensure invoking user's password for privilege escalation when using sudo + + + + + + + + + + Don't target root user in the sudoers file + + Fedora + + + Check that sudoers doesn't allow users to run commands as root + + + + + + + + + Don't define allowed commands in sudoers by means of exclusion + + Fedora + + + Check that sudoers doesn't contain command negations + + + + + + + + Explicit arguments in sudo specifications + + Fedora + + + Check that sudoers doesn't contain commands without arguments specified + + + + + + + + Only the VDSM User Can Use sudo NOPASSWD + + Fedora + + + Checks sudo usage for the vdsm user without a password + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo + + Fedora + + + Checks sudo usage without password + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD + + Fedora + + + Checks sudo usage without password + + + + + + + + + Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate + + Fedora + + + Checks sudo usage without authentication + + + + + + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty + + Fedora + + + Checks sudoers Defaults {{ OPTION }} configuration + + + + + + + + Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty + + Fedora + + + Checks sudoers Defaults {{ OPTION }} configuration + + + + + + + + Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC + + Fedora + + + Checks sudoers Defaults {{ OPTION }} configuration + + + + + + + + Configure SSSD to Expire SSH Known Hosts + + Fedora + + + SSSD should be configured to expire keys from known SSH hosts after 1 day. + + + + + + + + + + + + Configure SSSD to run as user sssd + + Fedora + + + SSSD processes should be configured to run as user sssd, not root. + + + + + + + + Configure SSSD to Expire Offline Credentials + + Fedora + + + SSSD should be configured to expire offline credentials after 1 day. + + + + + + + + + + + + Configure SSSD's Memory Cache to Expire + + Fedora + + + SSSD's memory cache should be configured to set to expire records after 1 day. + + + + + + + + + + + + Enable Smartcards in SSSD + + Fedora + + + SSSD should be configured to authenticate access to the system + using smart cards. + + + + + + + + + + + + SSSD is configured to use LDAP + + Fedora + + + + Identification provider is not set to ad within /etc/sssd/sssd.conf + + + + + + + + Verify The SSSD Configuration File Exists + + Fedora + + + The /etc/sssd/sssd.conf file should exist if it is + in use. + + + + + + + + Prevent remote hosts from connecting to the proxy display + + Fedora + + + Ensure 'X11UseLocalhost' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + OpenSSH Server is 7.4 or newer + + Fedora + + + Check if version of OpenSSH Server is equal or higher than 7.4 + + + + + + + + Enable Use of Privilege Separation + + Fedora + + + Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config' + + + + + + + + + + + + Set SSH MaxSessions limit + + Fedora + + + The SSH number of max sessions should be set to an + appropriate value. + + + + + + + + + + + + + + + + Set SSH authentication attempt limit + + Fedora + + + The SSH MaxAuthTries should be set to an + appropriate value. + + + + + + + + + Set SSH Daemon LogLevel to VERBOSE + + Fedora + + + Ensure 'LogLevel' is configured with value 'VERBOSE' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Set LogLevel to INFO + + Fedora + + + Ensure 'LogLevel' is configured with value 'INFO' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Set SSH Client Alive Count Max to zero + + Fedora + + + Ensure 'ClientAliveCountMax' is configured with value '0' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Set SSH Client Alive Count Max + + Fedora + + + The SSH ClientAliveCountMax should be set to an appropriate + value (and dependencies are met) + + + + + + + + + + + + + + + + Set SSH Idle Timeout Interval + + Fedora + + + The SSH idle timeout interval should be set to an + appropriate value. + + + + + + + + + + + + + + + + + It doesn't matter if sshd is installed or not + + Fedora + + + Test if value sshd_required is 0. + + + + + + + + SSHD is required to be installed or requirement not set + + Fedora + + + If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. + + + + + + + + + Force frequent session key renegotiation + + Fedora + + + Ensure 'RekeyLimit' is configured with the correct value in '/etc/ssh/sshd_config' + + + + + + + + + + + + + + + + Enable SSH Print Last Log + + Fedora + + + Ensure 'PrintLastLog' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + SSHD is not required to be installed or requirement not set + + Fedora + + + If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. + + + + + + + + + Enable Encrypted X11 Forwarding + + Fedora + + + Ensure 'X11Forwarding' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Enable SSH Warning Banner + + Fedora + + + Ensure 'Banner' is configured with value '/etc/issue' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Enable Use of Strict Mode Checking + + Fedora + + + Ensure 'StrictModes' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Enable GSSAPI Authentication + + Fedora + + + Ensure 'GSSAPIAuthentication' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Do Not Allow SSH Environment Options + + Fedora + + + Ensure 'PermitUserEnvironment' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable X11 Forwarding + + Fedora + + + Ensure 'X11Forwarding' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable SSH Support for User Known Hosts + + Fedora + + + Ensure 'IgnoreUserKnownHosts' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Disable SSH TCP Forwarding + + Fedora + + + Ensure 'AllowTcpForwarding' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Disable SSH root Login with a Password (Insecure) + + Fedora + + + Ensure 'PermitRootLogin' is configured with value 'prohibit-password' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable SSH Root Login + + Fedora + + + Ensure 'PermitRootLogin' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Disable SSH Support for Rhosts RSA Authentication + + Fedora + + + SSH can allow authentication through the obsolete rsh command + through the use of the authenticating user's SSH keys. This should be disabled. + + + + + + + + + + + + + + + + + + + Disable SSH Support for .rhosts Files + + Fedora + + + Ensure 'IgnoreRhosts' is configured with value 'yes' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable PubkeyAuthentication Authentication + + Fedora + + + Ensure 'PubkeyAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + Disable Kerberos Authentication + + Fedora + + + Ensure 'KerberosAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable GSSAPI Authentication + + Fedora + + + Ensure 'GSSAPIAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable SSH Access via Empty Passwords + + Fedora + + + Ensure 'PermitEmptyPasswords' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable Compression Or Set Compression to delayed + + Fedora + + + SSH should either have compression disabled or set to delayed. + + + + + + + + + + + + + + + + + Allow Only SSH Protocol 2 + + Fedora + + + The OpenSSH daemon should be running protocol 2. + + + + + + + + + + + + + + + + + + + Configure SNMP Service to Use Only SNMPv3 or Newer + + Fedora + + + SNMP version 1 and 2c must not be enabled. + + + + + + + + + Ensure Default SNMP Password Is Not Used + + Fedora + + + SNMP default communities must be removed. + + + + + + + + Enable Smart Card Login + + Fedora + + + Enable Smart Card logins + + + + + + + + + + + + + + + + + + + Set PAM's Password Hashing Algorithm + + Fedora + + + The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. + + + + + + + + Set Password Hashing Algorithm in /etc/login.defs + + Fedora + + + The password hashing algorithm should be set correctly in /etc/login.defs. + + + + + + + + Set Password Hashing Algorithm in /etc/libuser.conf + + Fedora + + + The password hashing algorithm should be set correctly in /etc/libuser.conf. + + + + + + + + Set Default firewalld Zone for Incoming Packets + + Fedora + + + Change the default firewalld zone to drop. + + + + + + + + Enable the USBGuard Service + + Fedora + + + The usbguard service should be enabled if possible. + + + + + + + + + + + + + + + Disable acquiring, saving, and processing core dumps + + Fedora + + + The systemd-coredump service should be disabled if possible. + + + + + + + + + + + + + Enable syslog-ng Service + + Fedora + + + The syslogng service should be enabled if possible. + + + + + + + + + + + + + + + service_syslog_disabled + + Fedora + + + The syslog service should be disabled if possible. + + + + + + + + + + + + + service_sssd_disabled + + Fedora + + + The sssd service should be disabled if possible. + + + + + + + + + + + + + Disable SSH Server If Possible (Unusual) + + Fedora + + + The sshd service should be disabled if possible. + + + + + + + + + + + + + Enable rsyslog Service + + Fedora + + + The rsyslog service should be enabled if possible. + + + + + + + + + + + + + + + Ensure rsyncd service is diabled + + Fedora + + + The rsyncd service should be disabled if possible. + + + + + + + + + + + + + Disable Secure RPC Server Service (rpcsvcgssd) + + Fedora + + + The rpcsvcgssd service should be disabled if possible. + + + + + + + + + + + + + Disable RPC ID Mapping Service (rpcidmapd) + + Fedora + + + The rpcidmapd service should be disabled if possible. + + + + + + + + + + + + + Disable Secure RPC Client Service (rpcgssd) + + Fedora + + + The rpcgssd service should be disabled if possible. + + + + + + + + + + + + + Enable the Hardware RNG Entropy Gatherer Service + + Fedora + + + The rngd service should be enabled if possible. + + + + + + + + + + + + + + + Enable the pcscd Service + + Fedora + + + The pcscd service should be enabled if possible. + + + + + + + + + + + + + + + Enable the NTP Daemon + + Fedora + + + The ntpd service should be enabled if possible. + + + + + + + + + + + + + + + Enable the NTP Daemon + + Fedora + + + The ntp service should be enabled if possible. + + + + + + + + + + + + + + + Disable Network File System Lock Service (nfslock) + + Fedora + + + The nfslock service should be disabled if possible. + + + + + + + + + + + + + Disable Network File System (nfs) + + Fedora + + + The nfs-server service should be disabled if possible. + + + + + + + + + + + + + Disable Network File Systems (netfs) + + Fedora + + + The netfs service should be disabled if possible. + + + + + + + + + + + + + Verify iptables Enabled + + Fedora + + + The iptables service should be enabled if possible. + + + + + + + + + + + + + + + Verify ip6tables Enabled if Using IPv6 + + Fedora + + + The ip6tables service should be enabled if possible. + + + + + + + + + + + + + + + Verify firewalld Enabled + + Fedora + + + The firewalld service should be enabled if possible. + + + + + + + + + + + + + + + Disable debug-shell SystemD Service + + Fedora + + + The debug-shell service should be disabled if possible. + + + + + + + + + + + + + Enable cron Service + + Fedora + + + The crond service should be enabled if possible. + + + + + + + + + + + + + + + Enable cron Service + + Fedora + + + The cron service should be enabled if possible. + + + + + + + + + + + + + + + Enable the NTP Daemon + + Fedora + + + At least one of the chronyd or ntpd services should be enabled if possible. + + + + + + + + + The Chronyd service is enabled + + Fedora + + + The chronyd service should be enabled if possible. + + + + + + + + + + + + + + + Disable Bluetooth Service + + Fedora + + + The bluetooth service should be disabled if possible. + + + + + + + + + + + + + Disable the Automounter + + Fedora + + + The autofs service should be disabled if possible. + + + + + + + + + + + + + Enable auditd Service + + Fedora + + + The auditd service should be enabled if possible. + + + + + + + + + + + + + + + Disable At Service (atd) + + Fedora + + + The atd service should be disabled if possible. + + + + + + + + + + + + + Ensure SELinux State is Enforcing + + Fedora + + + The SELinux state should be enforcing the local policy. + + + + + + + + Configure SELinux Policy + + Fedora + + + The SELinux policy should be set appropriately. + + + + + + + + Ensure No Daemons are Unconfined by SELinux + + Fedora + + + All pids in /proc should be assigned an SELinux security context other than 'unconfined_service_t'. + + + + + + + + Ensure No Device Files are Unlabeled by SELinux + + Fedora + + + All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'. + + + + + + + + + Restrict Virtual Console Root Logins + + Fedora + + + Preventing direct root login to virtual console devices + helps ensure accountability for actions taken on the system using the + root account. + + + + + + + + Configure CA certificate for rsyslog remote logging + + Fedora + + + Check that the CA certificate path is set + + + + + + + + Configure TLS for rsyslog remote logging + + Fedora + + + Check that all needed TLS-related options are present + + + + + + + + Ensure Logs Sent To Remote Host + + Fedora + + + Syslog logs should be sent to a remote loghost + + + + + + + + + Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server + + Fedora + + + rsyslogd should reject remote messages + + + + + + + + Ensure System Log Files Have Correct Permissions + + Fedora + + + File permissions for all syslog log files should be set correctly. + + + + + + + + Ensure Log Files Are Owned By Appropriate User + + Fedora + + + All syslog log files should be owned by the appropriate user. + + + + + + + + Ensure Log Files Are Owned By Appropriate Group + + Fedora + + + All syslog log files should be owned by the appropriate group. + + + + + + + + Ensure cron Is Logging To Rsyslog + + Fedora + + + Rsyslog should be configured to capture cron messages. + + + + + + + + + Verify and Correct File Permissions with RPM + + Fedora + + + Verify the permissions of installed packages + by comparing the installed files with information about the + files taken from the package metadata stored in the RPM + database. + + + + + + + + Verify File Hashes with RPM + + Fedora + + + Verify the RPM digests of system binaries using the RPM database. + + + + + + + + Ensure that Root's Path Does Not Include Relative Paths or Null Directories + + Fedora + + + The environment variable PATH should be set correctly for + the root user. + + + + + + + + + + + + + Restrict Serial Port Root Logins + + Fedora + + + Preventing direct root login to serial port interfaces helps + ensure accountability for actions taken on the system using the root + account. + + + + + + + + Require Authentication for Single User Mode + + Fedora + + + The requirement for a password to boot into single-user mode + should be configured correctly. + + + + + + + + + + + Require Authentication for Emergency Systemd Target + + Fedora + + + The requirement for a password to boot into emergency mode + should be configured correctly. + + + + + + + + + + + Device Files for Removable Media Partitions Does Not Exist on the System + + Fedora + + + Verify if device file representing removable partitions + exist on the system + + + + + + + + Test for different architecture than s390x + + Fedora + + + Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x + + + + + + + + Prefer to use a 64-bit Operating System when supported + + Fedora + + + Check if the system supports a 64-bit Operating System + + + + + + + + + Configure System to Forward All Mail For The Root Account + + Fedora + + + Check if root has the correct mail alias. + + + + + + + + Ensure /var/log/audit Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /var/log Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /var Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /usr Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /tmp Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /srv Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /opt Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /home Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Ensure /boot Located On Separate Partition + + Fedora + + + If stored locally, create a separate partition for + . If will be mounted from another + system such as an NFS server, then creating a separate partition is not + necessary at this time, and the mountpoint can instead be configured + later. + + + + + + + + Remove the X Windows Package Group + + Fedora + + + The RPM package xorg-x11-server-common should be removed. + + + + + + + + Uninstall vsftpd Package + + Fedora + + + The RPM package vsftpd should be removed. + + + + + + + + Install vsftpd Package + + Fedora + + + The RPM package vsftpd should be installed. + + + + + + + + Install vim Package + + Fedora + + + The RPM package vim should be installed. + + + + + + + + Install usbguard Package + + Fedora + + + The RPM package usbguard should be installed. + + + + + + + + Uninstall tuned Package + + Fedora + + + The RPM package tuned should be removed. + + + + + + + + Install the tmux Package + + Fedora + + + The RPM package tmux should be installed. + + + + + + + + Uninstall the telnet server + + Fedora + + + The RPM package telnetd should be removed. + + + + + + + + Uninstall the ssl compliant telnet server + + Fedora + + + The RPM package telnetd-ssl should be removed. + + + + + + + + Install tar Package + + Fedora + + + The RPM package tar should be installed. + + + + + + + + Ensure syslog-ng is Installed + + Fedora + + + The RPM package syslogng should be installed. + + + + + + + + Install sudo Package + + Fedora + + + The RPM package sudo should be installed. + + + + + + + + Install sssd-ipa Package + + Fedora + + + The RPM package sssd-ipa should be installed. + + + + + + + + Uninstall setroubleshoot Package + + Fedora + + + The RPM package setroubleshoot should be removed. + + + + + + + + Uninstall setroubleshoot-server Package + + Fedora + + + The RPM package setroubleshoot-server should be removed. + + + + + + + + Uninstall setroubleshoot-plugins Package + + Fedora + + + The RPM package setroubleshoot-plugins should be removed. + + + + + + + + Uninstall Sendmail Package + + Fedora + + + The RPM package sendmail should be removed. + + + + + + + + Install the screen Package + + Fedora + + + The RPM package screen should be installed. + + + + + + + + Install scap-security-guide Package + + Fedora + + + The RPM package scap-security-guide should be installed. + + + + + + + + package_samba-common_removed + + Fedora + + + The RPM package samba-common should be removed. + + + + + + + + Ensure rsyslog is Installed + + Fedora + + + The RPM package rsyslog should be installed. + + + + + + + + Ensure rsyslog-gnutls is installed + + Fedora + + + The RPM package rsyslog-gnutls should be installed. + + + + + + + + Install rng-tools Package + + Fedora + + + The RPM package rng-tools should be installed. + + + + + + + + Install rear Package + + Fedora + + + The RPM package rear should be installed. + + + + + + + + package_prelink_removed + + Fedora + + + The RPM package prelink should be removed. + + + + + + + + Install policycoreutils Package + + Fedora + + + The RPM package policycoreutils should be installed. + + + + + + + + Install the pcsc-lite package + + Fedora + + + The RPM package pcsc-lite should be installed. + + + + + + + + package_pam_ldap_removed + + Fedora + + + The RPM package pam_ldap should be removed. + + + + + + + + Remove the OpenSSH Server Package + + Fedora + + + The RPM package openssh-server should be removed. + + + + + + + + Install the OpenSSH Server Package + + Fedora + + + The RPM package openssh-server should be installed. + + + + + + + + Install openscap-scanner Package + + Fedora + + + The RPM package openscap-scanner should be installed. + + + + + + + + Install the opensc Package For Multifactor Authentication + + Fedora + + + The RPM package opensc should be installed. + + + + + + + + Ensure LDAP client is not installed + + Fedora + + + The RPM package openldap-clients should be removed. + + + + + + + + Uninstall the ntpdate package + + Fedora + + + The RPM package ntpdate should be removed. + + + + + + + + Install the ntp service + + Fedora + + + The RPM package ntp should be installed. + + + + + + + + Ensure nss-tools is installed + + Fedora + + + The RPM package nss-tools should be installed. + + + + + + + + Uninstall the nis package + + Fedora + + + The RPM package nis should be removed. + + + + + + + + Uninstall nfs-utils Package + + Fedora + + + The RPM package nfs-utils should be removed. + + + + + + + + Uninstall net-snmp Package + + Fedora + + + The RPM package net-snmp should be removed. + + + + + + + + Uninstall mcstrans Package + + Fedora + + + The RPM package mcstrans should be removed. + + + + + + + + Install libselinux Package + + Fedora + + + The RPM package libselinux should be installed. + + + + + + + + Install libreswan Package + + Fedora + + + The RPM package libreswan should be installed. + + + + + + + + Install libcap-ng-utils Package + + Fedora + + + The RPM package libcap-ng-utils should be installed. + + + + + + + + Uninstall krb5-workstation Package + + Fedora + + + The RPM package krb5-workstation should be removed. + + + + + + + + Install iptables Package + + Fedora + + + The RPM package iptables should be installed. + + + + + + + + Uninstall iprutils Package + + Fedora + + + The RPM package iprutils should be removed. + + + + + + + + Uninstall the inet-based telnet server + + Fedora + + + The RPM package inetutils-telnetd should be removed. + + + + + + + + Uninstall gssproxy Package + + Fedora + + + The RPM package gssproxy should be removed. + + + + + + + + Ensure gnutls-utils is installed + + Fedora + + + The RPM package gnutls-utils should be installed. + + + + + + + + Uninstall geolite2-country Package + + Fedora + + + The RPM package geolite2-country should be removed. + + + + + + + + Uninstall geolite2-city Package + + Fedora + + + The RPM package geolite2-city should be removed. + + + + + + + + Remove the GDM Package Group + + Fedora + + + The RPM package gdm should be removed. + + + + + + + + package_gdm_installed + + Fedora + + + The RPM package gdm should be installed. + + + + + + + + Install fapolicyd Package + + Fedora + + + The RPM package fapolicyd should be installed. + + + + + + + + package_esc_installed + + Fedora + + + The RPM package esc should be installed. + + + + + + + + Install dnf-automatic Package + + Fedora + + + The RPM package dnf-automatic should be installed. + + + + + + + + package_dconf_installed + + Fedora + + + The RPM package dconf should be installed. + + + + + + + + Install cryptsetup-luks Package + + Fedora + + + The RPM package cryptsetup-luks should be installed. + + + + + + + + Install the cron service + + Fedora + + + The RPM package cron should be installed. + + + + + + + + The Chrony package is installed + + Fedora + + + The RPM package chrony should be installed. + + + + + + + + Install binutils Package + + Fedora + + + The RPM package binutils should be installed. + + + + + + + + Uninstall bind Package + + Fedora + + + The RPM package bind should be removed. + + + + + + + + package_avahi_installed + + Fedora + + + The RPM package avahi should be installed. + + + + + + + + Ensure the audit Subsystem is Installed + + Fedora + + + The RPM package audit should be installed. + + + + + + + + Ensure the default plugins for the audit dispatcher are Installed + + Fedora + + + The RPM package audit-audispd-plugins should be installed. + + + + + + + + Install audispd-plugins Package + + Fedora + + + The RPM package audispd-plugins should be installed. + + + + + + + + Install AIDE + + Fedora + + + The RPM package aide should be installed. + + + + + + + + Uninstall Automatic Bug Reporting Tool (abrt) + + Fedora + + + The RPM package abrt should be removed. + + + + + + + + Uninstall abrt-plugin-sosreport Package + + Fedora + + + The RPM package abrt-plugin-sosreport should be removed. + + + + + + + + Uninstall abrt-plugin-rhtsupport Package + + Fedora + + + The RPM package abrt-plugin-rhtsupport should be removed. + + + + + + + + Uninstall abrt-plugin-logger Package + + Fedora + + + The RPM package abrt-plugin-logger should be removed. + + + + + + + + Uninstall abrt-cli Package + + Fedora + + + The RPM package abrt-cli should be removed. + + + + + + + + Uninstall abrt-addon-python Package + + Fedora + + + The RPM package abrt-addon-python should be removed. + + + + + + + + Uninstall abrt-addon-kerneloops Package + + Fedora + + + The RPM package abrt-addon-kerneloops should be removed. + + + + + + + + Uninstall abrt-addon-ccpp Package + + Fedora + + + The RPM package abrt-addon-ccpp should be removed. + + + + + + + + Install the Host Intrusion Prevention System (HIPS) Module + + Fedora + + + The RPM package MFEhiplsm should be installed. + + + + + + + + package_GConf2_installed + + Fedora + + + The RPM package GConf2 should be installed. + + + + + + + + Specify a Remote NTP Server + + Fedora + + + A remote ntpd NTP Server for time synchronization should be + specified (and dependencies are met) + + + + + + + + Specify Additional Remote NTP Servers + + Fedora + + + Multiple ntpd NTP Servers for time synchronization should be specified. + + + + + + + + Configure ntpd To Run As ntp User + + Fedora + + + Ensure ntpd is configured to run correctly under the ntp user. + + + + + + + + + Configure server restrictions for ntpd + + Fedora + + + Certain restrictions are imposed on ntp servers configured to be used by ntpd + + + + + + + + + Prevent user from disabling the screen lock + + Fedora + + + Check that tmux is not listed in /etc/shells + + + + + + + + Ensure that System Accounts Do Not Run a Shell Upon Login + + Fedora + + + The root account is the only system account that should have + a login shell. + + + + + + + + + + + + + + + + + + Remove Rsh Trust Files + + Fedora + + + There should not be any .rhosts or hosts.equiv files on the system. + + + + + + + + + + Verify No netrc Files Exist + + Fedora + + + The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. + + + + + + + + Ensure there are no legacy + NIS entries in /etc/shadow + + Fedora + + + No lines starting with + are in /etc/shadow + + + + + + + + Ensure there are no legacy + NIS entries in /etc/passwd + + Fedora + + + No lines starting with + are in /etc/passwd + + + + + + + + Ensure there are no legacy + NIS entries in /etc/group + + Fedora + + + No lines starting with + are in /etc/group + + + + + + + + Ensure Insecure File Locking is Not Allowed + + Fedora + + + Allowing insecure file locking could allow for sensitive + data to be viewed or edited by an unauthorized user. + + + + + + + + Ensure All Files Are Owned by a User + + Fedora + + + All files should be owned by a user + + + + + + + + Prevent Login to Accounts With Empty Password + + Fedora + + + The file /etc/pam.d/system-auth should not contain the nullok option + + + + + + + + Direct root Logins Not Allowed + + Fedora + + + Preventing direct root logins help ensure accountability for actions + taken on the system using the root account. + + + + + + + + + No CD/DVD drive is configured to automount in /etc/fstab + + Fedora + + + Check the /etc/fstab and check if a CD/DVD drive + is not configured for automount. + + + + + + + + Ensure System is Not Acting as a Network Sniffer + + Fedora + + + Disable the network sniffer + + + + + + + + Prevent non-Privileged Users from Modifying Network Interfaces using nmcli + + Fedora + + + polkit is properly configured to prevent non-privileged users from changing networking settings + + + + + + + + Manually Assign Global IPv6 Address + + Fedora + + + Manually configure addresses for IPv6 + + + + + + + + + Use Privacy Extensions for Address + + Fedora + + + Enable privacy extensions for IPv6 + + + + + + + + + Disable Support for RPC IPv6 + + Fedora + + + Disable ipv6 based rpc services + + + + + + + + + Manually Assign IPv6 Router Address + + Fedora + + + Define default gateways for IPv6 traffic + + + + + + + + + Disable Zeroconf Networking + + Fedora + + + Disable Zeroconf automatic route assignment in the + 169.254.0.0 subnet. + + + + + + + + Bind Mount /var/tmp To /tmp + + Fedora + + + The /var/tmp directory should be bind mounted to /tmp in + order to consolidate temporary storage into one location protected by the + same techniques as /tmp. + + + + + + + + + + + + + Add nosuid Option to /var + + Fedora + + + /var should be mounted with mount option nosuid. + + + + + + + + Add noexec Option to /var + + Fedora + + + /var should be mounted with mount option noexec. + + + + + + + + Add nodev Option to /var + + Fedora + + + /var should be mounted with mount option nodev. + + + + + + + + Add nosuid Option to /var/log + + Fedora + + + /var/log should be mounted with mount option nosuid. + + + + + + + + Add noexec Option to /var/log + + Fedora + + + /var/log should be mounted with mount option noexec. + + + + + + + + Add nodev Option to /var/log + + Fedora + + + /var/log should be mounted with mount option nodev. + + + + + + + + Add nosuid Option to /var/log/audit + + Fedora + + + /var/log/audit should be mounted with mount option nosuid. + + + + + + + + Add noexec Option to /var/log/audit + + Fedora + + + /var/log/audit should be mounted with mount option noexec. + + + + + + + + Add nodev Option to /var/log/audit + + Fedora + + + /var/log/audit should be mounted with mount option nodev. + + + + + + + + Add nosuid Option to /tmp + + Fedora + + + /tmp should be mounted with mount option nosuid. + + + + + + + + Add noexec Option to /tmp + + Fedora + + + /tmp should be mounted with mount option noexec. + + + + + + + + Add nodev Option to /tmp + + Fedora + + + /tmp should be mounted with mount option nodev. + + + + + + + + Add nosuid Option to /srv + + Fedora + + + /srv should be mounted with mount option nosuid. + + + + + + + + Add nosuid Option to /opt + + Fedora + + + /opt should be mounted with mount option nosuid. + + + + + + + + Add nosuid Option to Removable Media Partitions + + Fedora + + + The nosuid option should be enabled for all removable devices mounts in /etc/fstab. + + + + + + + + + + + + + + + + Add noexec Option to Removable Media Partitions + + Fedora + + + The noexec option should be enabled for all removable devices mounts in /etc/fstab. + + + + + + + + + + + + + + + + Add nodev Option to Removable Media Partitions + + Fedora + + + The nodev option should be enabled for all removable devices mounts in /etc/fstab. + + + + + + + + + + + + + + + + Add nodev Option to Non-Root Local Partitions + + Fedora + + + The nodev mount option prevents files from being interpreted + as character or block devices. Legitimate character and block devices + should exist in the /dev directory on the root partition or within chroot + jails built for system services. All other locations should not allow + character and block devices. + + + + + + + + Add noexec Option to /home + + Fedora + + + /home should be mounted with mount option noexec. + + + + + + + + Add nosuid Option to /dev/shm + + Fedora + + + /dev/shm should be mounted with mount option nosuid. + + + + + + + + Add noexec Option to /dev/shm + + Fedora + + + /dev/shm should be mounted with mount option noexec. + + + + + + + + Add nodev Option to /dev/shm + + Fedora + + + /dev/shm should be mounted with mount option nodev. + + + + + + + + Add nosuid Option to /boot + + Fedora + + + /boot should be mounted with mount option nosuid. + + + + + + + + Add noexec Option to /boot + + Fedora + + + /boot should be mounted with mount option noexec. + + + + + + + + Add nodev Option to /boot + + Fedora + + + /boot should be mounted with mount option nodev. + + + + + + + + Add noauto Option to /boot + + Fedora + + + /boot should be mounted with mount option noauto. + + + + + + + + Configure Logwatch SplitHosts Line + + Fedora + + + Check if SplitHosts line in logwatch.conf is set appropriately. + + + + + + + + Configure Logwatch HostLimit Line + + Fedora + + + Test if HostLimit line in logwatch.conf is set appropriately. + + + + + + + + Disable Mounting of vFAT filesystems + + Fedora + + + The kernel module vfat should be disabled. + + + + + + + + + + + + + + Disable Modprobe Loading of USB Storage Driver + + Fedora + + + The kernel module usb-storage should be disabled. + + + + + + + + + + + + + + Disable Mounting of udf + + Fedora + + + The kernel module udf should be disabled. + + + + + + + + + + + + + + Disable TIPC Support + + Fedora + + + The kernel module tipc should be disabled. + + + + + + + + + + + + + + Disable Mounting of squashfs + + Fedora + + + The kernel module squashfs should be disabled. + + + + + + + + + + + + + + Disable RDS Support + + Fedora + + + The kernel module rds should be disabled. + + + + + + + + + + + + + + Disable Mounting of jffs2 + + Fedora + + + The kernel module jffs2 should be disabled. + + + + + + + + + + + + + + Disable IPv6 Networking Support Automatic Loading + + Fedora + + + The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. + + + + + + + + Disable Mounting of hfsplus + + Fedora + + + The kernel module hfsplus should be disabled. + + + + + + + + + + + + + + Disable Mounting of hfs + + Fedora + + + The kernel module hfs should be disabled. + + + + + + + + + + + + + + Disable Mounting of freevxfs + + Fedora + + + The kernel module freevxfs should be disabled. + + + + + + + + + + + + + + Disable IEEE 1394 (FireWire) Support + + Fedora + + + The kernel module firewire-core should be disabled. + + + + + + + + + + + + + + Disable DCCP Support + + Fedora + + + The kernel module dccp should be disabled. + + + + + + + + + + + + + + Disable Mounting of cramfs + + Fedora + + + The kernel module cramfs should be disabled. + + + + + + + + + + + + + + Disable CAN Support + + Fedora + + + The kernel module can should be disabled. + + + + + + + + + + + + + + Disable Bluetooth Kernel Module + + Fedora + + + The kernel module bluetooth should be disabled. + + + + + + + + + + + + + + Disable ATM Support + + Fedora + + + The kernel module atm should be disabled. + + + + + + + + + + + + + + Disable Kerberos by removing host keytab + + Fedora + + + Check that there is no Kerberos keytab file present in /etc + + + + + + + + Check if the scan target is a machine + + Fedora + + + + Check for absence of files characterizing container filesystems. + + + + + + + + Check if the scan target is a container + + Fedora + + + + Check for presence of files characterizing container filesystems. + + + + + + + + + System uses zIPL + + Fedora + + + + Checks if system uses zIPL bootloader. + + + + + + + + Package yum is installed + + Fedora + + + + Checks if package yum is installed. + + + + + + + + Package systemd is installed + + Fedora + + + + Checks if package systemd is installed. + + + + + + + + Package sudo is installed + + Fedora + + + + Checks if package sudo is installed. + + + + + + + + Package sssd-common is installed + + Fedora + + + + Checks if package sssd-common is installed. + + + + + + + + Package pam is installed + + Fedora + + + + Checks if package pam is installed. + + + + + + + + Package ntp is installed + + Fedora + + + + Checks if package ntp is installed. + + + + + + + + Package nss-pam-ldapd is installed + + Fedora + + + + Checks if package nss-pam-ldapd is installed. + + + + + + + + Package net-snmp is installed + + Fedora + + + + Checks if package net-snmp is installed. + + + + + + + + Package providing /etc/login.defs is installed + + Fedora + + + + Checks if package providing /etc/login.defs and is installed. + + + + + + + + Package libuser is installed + + Fedora + + + + Checks if package libuser is installed. + + + + + + + + Package grub2 is installed + + Fedora + + + + Checks if package grub2-common is installed. + + + + + + + + + + + + Package gdm is installed + + Fedora + + + + Checks if package gdm is installed. + + + + + + + + Package chrony is installed + + Fedora + + + + Checks if package chrony is installed. + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + + The application installed installed on the system is + Red Hat Virtualization 4. + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + + The application installed installed on the system is + Red Hat OpenStack Platform 13. + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + + The application installed installed on the system is + Red Hat OpenStack Platform 10. + + + + + + + + + WRLinux 8 + + Fedora + + + + The operating system installed on the system is + Wind River Linux 8 + + + + + + + + + WRLinux 1019 + + Fedora + + + + The operating system installed on the system is + Wind River Linux 1019 + + + + + + + + + + The Installed Operating System Is Vendor Supported + + Fedora + + + + The operating system installed on the system is supported by a vendor that provides security patches. + + + + + + + + + + + + + + Ubuntu + + Fedora + + + The operating system installed is an Ubuntu System + + + + + + + + + + Ubuntu 2004 + + Fedora + + + + The operating system installed on the system is Ubuntu 2004 + + + + + + + + + Ubuntu 1804 + + Fedora + + + + The operating system installed on the system is Ubuntu 1804 + + + + + + + + + Ubuntu 1604 + + Fedora + + + + The operating system installed on the system is Ubuntu 1604 + + + + + + + + + SUSE Linux Enterprise 15 + + Fedora + + + + + The operating system installed on the system is + SUSE Linux Enterprise 15. + + + + + + + + + + + + + SUSE Linux Enterprise 12 + + Fedora + + + + + The operating system installed on the system is + SUSE Linux Enterprise 12. + + + + + + + + + + + + + Scientific Linux 7 + + Fedora + + + + The operating system installed on the system is + Scientific Linux 7 + + + + + + + + + Scientific Linux 6 + + Fedora + + + + The operating system installed on the system is + Scientific Linux 6 + + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + + The operating system installed on the system is + Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host. + + + + + + + + + Red Hat Enterprise Linux 9 + + Fedora + + + + The operating system installed on the system is + Red Hat Enterprise Linux 9 + + + + + + + + + + + + + + + Red Hat Enterprise Linux 8 + + Fedora + + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + Red Hat Enterprise Linux 7 + + Fedora + + + + The operating system installed on the system is + Red Hat Enterprise Linux 7 + + + + + + + + + + + + + + + + + + Red Hat Enterprise Linux CoreOS + + Fedora + + + + The operating system installed on the system is + Red Hat Enterprise Linux CoreOS release 4 + + + + + + + + + + + Installed operating system is part of the Unix family + + Fedora + + + The operating system installed on the system is part of the Unix OS family + + + + + + + + openSUSE Leap 42 + + Fedora + + + + + + The operating system installed on the system is openSUSE Leap 42. + + + + + + + + + openSUSE Leap 15 + + Fedora + + + + The operating system installed on the system is openSUSE Leap 15. + + + + + + + + + openSUSE + + Fedora + + + The operating system installed on the system is openSUSE. + + + + + + + + + Oracle Linux 8 + + Fedora + + + + The operating system installed on the system is + Oracle Linux 8 + + + + + + + + + + + Oracle Linux 7 + + Fedora + + + + The operating system installed on the system is + Oracle Linux 7 + + + + + + + + + + + Installed operating system is Fedora + + Fedora + + + + The operating system installed on the system is Fedora + + + + + + + + + + Debian + + Fedora + + + The operating system installed is a Debian System + + + + + + + + + Debian 9 + + Fedora + + + + The operating system installed on the system is Debian 9 + + + + + + + + + Debian Linux 10 + + Fedora + + + + The operating system installed on the system is Debian 10 + + + + + + + + + CentOS 8 + + Fedora + + + + The operating system installed on the system is + CentOS 8 + + + + + + + + + + CentOS 7 + + Fedora + + + + The operating system installed on the system is + CentOS 7 + + + + + + + + + CentOS 6 + + Fedora + + + + The operating system installed on the system is + CentOS 6 + + + + + + + + + The Installed Operating System Is FIPS 140-2 Certified + + Fedora + + + + The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements. + + + + + + + + + + + + + + + + + Install Smart Card Packages For Multifactor Authentication + + Fedora + + + The RPM package openssl-pkcs11 should be installed. + + + + + + + + Install the Policy Auditor (PA) Module + + Fedora + + + Install the Policy Auditor (PA) Module. + + + + + + + + Install the Asset Configuration Compliance Module (ACCM) + + Fedora + + + Install the Asset Configuration Compliance Module (ACCM). + + + + + + + + Install McAfee Host-Based Intrusion Detection Software (HBSS) + + Fedora + + + McAfee Host-Based Intrusion Detection Software (HBSS) software + should be installed. + + + + + + + + + + + Install the McAfee Runtime Libraries and Linux Agent + + Fedora + + + Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). + + + + + + + + + Install McAfee Virus Scanning Software + + Fedora + + + McAfee Antivirus software should be installed. + + + + + + + + + Install Intrusion Detection Software + + Fedora + + + Intrusion detection software or SELinux should be installed and enabled. + + + + + + + + + Install Virus Scanning Software + + Fedora + + + Antivirus software should be installed. + + + + + + + + Install PAE Kernel on Supported 32-bit x86 Systems + + Fedora + + + The RPM package kernel-PAE should be installed on 32-bit + systems. + + + + + + + + + + + + + + + + Harden SSHD Crypto Policy + + Fedora + + + Ensure 'CRYPTO_POLICY' is configured with value ''-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'' in /etc/crypto-policies/back-ends/opensshserver.config + + + + + + + + + + + + + + + + + + Harden SSH client Crypto Policy + + Fedora + + + Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf + + + + + + + + + + + + + + Disable vsyscalls + + Fedora + + + Ensure vsyscall=none is configured in the kernel line in /etc/default/grub. + + + + + + + + Set the UEFI Boot Loader Password + + Fedora + + + The UEFI grub2 boot loader should have password protection enabled. + + + + + + + + + + + + + + + Set the UEFI Boot Loader Admin Username to a Non-Default Value + + Fedora + + + The grub2 boot loader superuser should have a username that is hard to guess. + + + + + + + + + Enable SLUB/SLAB allocator poisoning + + Fedora + + + Ensure slub_debug=P is configured in the kernel line in /etc/default/grub. + + + + + + + + Enable Kernel Page-Table Isolation (KPTI) + + Fedora + + + Ensure pti=on is configured in the kernel line in /etc/default/grub. + + + + + + + + Set Boot Loader Password in grub2 + + Fedora + + + The grub2 boot loader should have password protection enabled. + + + + + + + + + + + + + + + Enable page allocator poisoning + + Fedora + + + Ensure page_poison=1 is configured in the kernel line in /etc/default/grub. + + + + + + + + Disable Kernel Support for USB via Bootloader Configuration + + Fedora + + + Ensure 'GRUB_CMDLINE_LINUX' is configured with value 'nousb' in /etc/default/grub + + + + + + + + Ensure IPv6 is disabled through kernel boot parameter + + Fedora + + + Ensure ipv6.disable=1 is configured in the kernel line in /etc/default/grub. + + + + + + + + Ensure SELinux Not Disabled in /etc/default/grub + + Fedora + + + + Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found. + + + + + + + + + + + IOMMU configuration directive + + Fedora + + + Ensure iommu=force is configured in the kernel line in /etc/default/grub. + + + + + + + + Verify that Interactive Boot is Disabled + + Fedora + + + The ability for users to perform interactive startups should + be disabled. + + + + + + + + + + + + GRUB_CMDLINE_LINUX_DEFAULT existance check + + Fedora + + + Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub. + + + + + + + + Extend Audit Backlog Limit for the Audit Daemon + + Fedora + + + Ensure audit_backlog_limit=8192 is configured in the kernel line in /etc/default/grub. + + + + + + + + Enable Auditing for Processes Which Start Prior to the Audit Daemon + + Fedora + + + Ensure audit=1 is configured in the kernel line in /etc/default/grub. + + + + + + + + Set the Boot Loader Admin Username to a Non-Default Value + + Fedora + + + The grub2 boot loader superuser should have a username that is hard to guess. + + + + + + + + + Disable XDMCP in GDM + + Fedora + + + Ensure 'Enable' is configured with value 'false in section 'xdmcp' in /etc/gdm/custom.conf + + + + + + + + + + + Disable GDM Guest Login + + Fedora + + + Disable the GNOME Display Manager (GDM) ability to allow guest users + to login. + + + + + + + + + Disable GDM Automatic Login + + Fedora + + + Disable the GNOME Display Manager (GDM) ability to allow users to + automatically login. + + + + + + + + + All GIDs referenced in /etc/passwd must be defined in /etc/group + + Fedora + + + All GIDs referenced in /etc/passwd must be defined in /etc/group. + + + + + + + + Create Warning Banners for All FTP Users + + Fedora + + + This setting will cause the system greeting banner to be + used for FTP connections as well. + + + + + + + + + Enable Logging of All FTP Transactions + + Fedora + + + To trace malicious activity facilitated by the FTP + service, it must be configured to ensure that all commands sent to + the FTP server are logged using the verbose vsftpd log format. + + + + + + + + + + + + + + Force opensc To Use Defined Smart Card Driver + + Fedora + + + Force opensc to use the organization's smart card driver so that only + the smart card in use by the organization will be recognized by the system. + + + + + + + + Verify Permissions on /var/log/messages File + + Fedora + + + This test makes sure that /var/log/messages has mode 0640. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + System Audit Logs Must Have Mode 0640 or Less Permissive + + Fedora + + + Checks for correct permissions for all log files in /var/log/audit. + + + + + + + + + + + + Verify Permissions on /var/log Directory + + Fedora + + + This test makes sure that /var/log/ has mode 0755. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Ensure All Files Are Owned by a Group + + Fedora + + + All files should be owned by a group + + + + + + + + Ensure No World-Writable Files Exist + + Fedora + + + The world-write permission should be disabled for all files. + + + + + + + + Ensure All SUID Executables Are Authorized + + Fedora + + + Evaluates to true if all files with SUID set are owned by RPM packages. + + + + + + + + Ensure All SGID Executables Are Authorized + + Fedora + + + Evaluates to true if all files with SGID set are owned by RPM packages. + + + + + + + + Verify that local System.map file (if exists) is readable only by root + + Fedora + + + + Checks that /boot/System.map-* are only readable by root. + + + + + + + + + Verify Permissions on SSH Server Public *.pub Key Files + + Fedora + + + This test makes sure that /etc/ssh/ has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on SSH Server Private *_key Key Files + + Fedora + + + This test makes sure that /etc/ssh/ has mode 0640. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify that Shared Library Files Have Restrictive Permissions + + Fedora + + + + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are not group-writable or world-writable. + + + + + + + + + + Ensure that User Home Directories are not Group-Writable or World-Readable + + Fedora + + + File permissions should be set correctly for the home directories for all user accounts. + + + + + + + + Verify /boot/grub2/grub.cfg Permissions + + Fedora + + + This test makes sure that /boot/grub2/grub.cfg has mode 0600. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on shadow File + + Fedora + + + This test makes sure that /etc/shadow has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on passwd File + + Fedora + + + This test makes sure that /etc/passwd has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify permissions on Message of the Day Banner + + Fedora + + + This test makes sure that /etc/motd has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify permissions on System Login Banner + + Fedora + + + This test makes sure that /etc/issue has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on gshadow File + + Fedora + + + This test makes sure that /etc/gshadow has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on group File + + Fedora + + + This test makes sure that /etc/group has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify the UEFI Boot Loader grub.cfg Permissions + + Fedora + + + This test makes sure that /boot/efi/EFI/fedora/grub.cfg has mode 0700. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify that System Executables Have Restrictive Permissions + + Fedora + + + + Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, + /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable. + + + + + + + + + Verify Permissions on Backup shadow File + + Fedora + + + This test makes sure that /etc/shadow- has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on Backup passwd File + + Fedora + + + This test makes sure that /etc/passwd- has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on Backup gshadow File + + Fedora + + + This test makes sure that /etc/gshadow- has mode 0000. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + Verify Permissions on Backup group File + + Fedora + + + This test makes sure that /etc/group- has mode 0644. + If the target file or directory has an extended ACL, then it will fail the mode check. + + + + + + + + + System Audit Logs Must Be Owned By Root + + Fedora + + + Checks that all /var/log/audit files and directories are owned by the root user and group. + + + + + + + + + + + + + + + + Verify that Shared Library Files Have Root Ownership + + Fedora + + + + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are owned by root. + + + + + + + + + + Verify that System Executables Have Root Ownership + + Fedora + + + + Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, + /usr/local/sbin, /usr/libexec, and objects therein, are owned by root. + + + + + + + + + + Verify User Who Owns /var/log/messages File + + Fedora + + + This test makes sure that /var/log/messages is owned by 0. + + + + + + + + Verify User Who Owns /var/log Directory + + Fedora + + + This test makes sure that /var/log/ is owned by 0. + + + + + + + + Verify /boot/grub2/grub.cfg User Ownership + + Fedora + + + This test makes sure that /boot/grub2/grub.cfg is owned by 0. + + + + + + + + Verify User Who Owns shadow File + + Fedora + + + This test makes sure that /etc/shadow is owned by 0. + + + + + + + + Verify User Who Owns passwd File + + Fedora + + + This test makes sure that /etc/passwd is owned by 0. + + + + + + + + Verify ownership of Message of the Day Banner + + Fedora + + + This test makes sure that /etc/motd is owned by 0. + + + + + + + + Verify ownership of System Login Banner + + Fedora + + + This test makes sure that /etc/issue is owned by 0. + + + + + + + + Verify User Who Owns gshadow File + + Fedora + + + This test makes sure that /etc/gshadow is owned by 0. + + + + + + + + Verify User Who Owns group File + + Fedora + + + This test makes sure that /etc/group is owned by 0. + + + + + + + + Verify the UEFI Boot Loader grub.cfg User Ownership + + Fedora + + + This test makes sure that /boot/efi/EFI/fedora/grub.cfg is owned by 0. + + + + + + + + Verify Group Who Owns Backup shadow File + + Fedora + + + This test makes sure that /etc/shadow- is owned by 0. + + + + + + + + Verify User Who Owns Backup passwd File + + Fedora + + + This test makes sure that /etc/passwd- is owned by 0. + + + + + + + + Verify User Who Owns Backup gshadow File + + Fedora + + + This test makes sure that /etc/gshadow- is owned by 0. + + + + + + + + Verify User Who Owns Backup group File + + Fedora + + + This test makes sure that /etc/group- is owned by 0. + + + + + + + + Verify Group Who Owns /var/log/messages File + + Fedora + + + This test makes sure that /var/log/messages is group owned by 0. + + + + + + + + Verify Group Who Owns /var/log Directory + + Fedora + + + This test makes sure that /var/log/ is group owned by 0. + + + + + + + + Verify /boot/grub2/grub.cfg Group Ownership + + Fedora + + + This test makes sure that /boot/grub2/grub.cfg is group owned by 0. + + + + + + + + Verify Group Who Owns shadow File + + Fedora + + + This test makes sure that /etc/shadow is group owned by 0. + + + + + + + + Verify Group Who Owns passwd File + + Fedora + + + This test makes sure that /etc/passwd is group owned by 0. + + + + + + + + Verify Group Ownership of Message of the Day Banner + + Fedora + + + This test makes sure that /etc/motd is group owned by 0. + + + + + + + + Verify Group Ownership of System Login Banner + + Fedora + + + This test makes sure that /etc/issue is group owned by 0. + + + + + + + + Verify Group Who Owns gshadow File + + Fedora + + + This test makes sure that /etc/gshadow is group owned by 0. + + + + + + + + Verify Group Who Owns group File + + Fedora + + + This test makes sure that /etc/group is group owned by 0. + + + + + + + + Verify the UEFI Boot Loader grub.cfg Group Ownership + + Fedora + + + This test makes sure that /boot/efi/EFI/fedora/grub.cfg is group owned by 0. + + + + + + + + Verify User Who Owns Backup shadow File + + Fedora + + + This test makes sure that /etc/shadow- is group owned by 0. + + + + + + + + Verify Group Who Owns Backup passwd File + + Fedora + + + This test makes sure that /etc/passwd- is group owned by 0. + + + + + + + + Verify Group Who Owns Backup gshadow File + + Fedora + + + This test makes sure that /etc/gshadow- is group owned by 0. + + + + + + + + Verify Group Who Owns Backup group File + + Fedora + + + This test makes sure that /etc/group- is group owned by 0. + + + + + + + + Ensure '/etc/system-fips' exists + + Fedora + + + Check /etc/system-fips exists + + + + + + + + Ensure Logrotate Runs Periodically + + Fedora + + + + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily + + + + + + + + + + + Ensure gpgcheck Enabled for All dnf Package Repositories + + Fedora + + + Ensure all yum or dnf repositories utilize signature checking. + + + + + + + + Ensure gpgcheck Enabled for Local Packages + + Fedora + + + The localpkg_gpgcheck option should be used to ensure that checking + of an RPM package's signature always occurs prior to its + installation. + + + + + + + + Ensure gpgcheck Enabled In Main dnf Configuration + + Fedora + + + The gpgcheck option should be used to ensure that checking + of an RPM package's signature always occurs prior to its + installation. + + + + + + + + Ensure Fedora GPG Key Installed + + Fedora + + + The Fedora release key package is required to be installed. + + + + + + + + + + + + + Set Up a Private Namespace in PAM Configuration + + Fedora + + + Check presence of pam_namespace.so module in the /etc/pam.d/login file + + + + + + + + Enable FIPS Mode + + Fedora + + + Check if FIPS mode is enabled on the system + + + + + + + + + + + + + Enable Dracut FIPS Module + + Fedora + + + fips module should be enabled in Dracut configuration + + + + + + + + Configure GNOME3 DConf User Profile + + Fedora + + + The DConf User profile should have the local DB configured. + + + + + + + + + Configure dnf-automatic to Install Only Security Updates + + Fedora + + + Ensure 'upgrade_type' is configured with value 'security in section 'commands' in /etc/dnf/automatic.conf + + + + + + + + + + + Configure dnf-automatic to Install Available Updates Automatically + + Fedora + + + Ensure 'apply_updates' is configured with value 'yes in section 'commands' in /etc/dnf/automatic.conf + + + + + + + + + + + Ensure PAM Displays Last Logon/Access Notification + + Fedora + + + Configure the system to notify users of last login/access using pam_lastlog. + + + + + + + + Disable Core Dumps for All Users + + Fedora + + + Core dumps for all users should be disabled + + + + + + + + + + + + Disable Host-Based Authentication + + Fedora + + + Ensure 'HostbasedAuthentication' is configured with value 'no' in /etc/ssh/sshd_config + + + + + + + + + + + + + + + + + + + Disable Ctrl-Alt-Del Reboot Activation + + Fedora + + + By default, the system will reboot when the + Ctrl-Alt-Del key sequence is pressed. + + + + + + + + System Audit Logs Must Have Mode 0750 or Less Permissive + + Fedora + + + Checks for correct permissions for /var/log/audit. + + + + + + + + + + + + Record Access Events to Audit Log Directory + + Fedora + + + Audit rules about the read events to /var/log/audit + + + + + + + + + + + + + + + Ensure All World-Writable Directories Are Group Owned by a System Account + + Fedora + + + All world writable directories should be group owned by a system user. + + + + + + + + Ensure All World-Writable Directories Are Owned by a System Account + + Fedora + + + All world writable directories should be owned by a system user. + + + + + + + + Verify that All World-Writable Directories Have Sticky Bits Set + + Fedora + + + The sticky bit should be set for all world-writable directories. + + + + + + + + Ensure All World-Writable Directories Are Owned by root user + + Fedora + + + All world writable directories should be owned by root. + + + + + + + + Verify that Shared Library Directories Have Restrictive Permissions + + Fedora + + + + Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and + objects therein, are not group-writable or world-writable. + + + + + + + + + Ensure Users Cannot Change GNOME3 Session Idle Settings + + Fedora + + + Ensure that users cannot change GNOME3 session idle settings. + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Settings + + Fedora + + + Ensure that users cannot change GNOME3 screensaver idle and lock settings. + + + + + + + + + + + + Disable Full User Name on Splash Shield + + Fedora + + + GNOME3 screen splash shield should not display full name of logged in user. + + + + + + + + + + + + + Implement Blank Screensaver + + Fedora + + + The GNOME3 screensaver should be blank. + + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period + + Fedora + + + Idle activation of the screen lock should not be changed by users. + + + + + + + + + + + + Enable GNOME3 Screensaver Lock After Idle Period + + Fedora + + + Idle activation of the screen lock should be enabled. + + + + + + + + + + + + + Set GNOME3 Screensaver Lock Delay After Activation Period + + Fedora + + + Idle activation of the screen lock should be enabled immediately or + after a delay. + + + + + + + + + + + + + + Set GNOME3 Screensaver Inactivity Timeout + + Fedora + + + The allowed period of inactivity before the screensaver is activated. + + + + + + + + + + + + + + Ensure Users Cannot Change GNOME3 Screensaver Idle Activation + + Fedora + + + Idle activation of the screen saver should not be changed by users. + + + + + + + + + + + + Enable GNOME3 Screensaver Idle Activation + + Fedora + + + Idle activation of the screen saver should be enabled. + + + + + + + + + + + + + Require Encryption for Remote Access in GNOME3 + + Fedora + + + Configure GNOME3 to require encryption for remote access connections. + + + + + + + + + + + + + Require Credential Prompting for Remote Access in GNOME3 + + Fedora + + + Configure GNOME3 to require credential prompting for remote access. + + + + + + + + + + + + + Set the GNOME3 Login Number of Failures + + Fedora + + + Set the GNOME3 number of login failure attempts. + + + + + + + + + + + + + Set the GNOME3 Login Warning Banner Text + + Fedora + + + Enable the GUI warning banner. + + + + + + + + + + + + + Enable the GNOME3 Screen Locking On Smartcard Removal + + Fedora + + + Ensure 'removal-action' is configured with value 'lock-screen in section 'org/gnome/settings-daemon/peripherals/smartcard' in /etc/dconf/db/local.d/ + + + + + + + + + Enable the GNOME3 Login Smartcard Authentication + + Fedora + + + Enable smartcard authentication in the GNOME3 Login GUI. + + + + + + + + + + + + + Disable WIFI Network Notification in GNOME3 + + Fedora + + + Disable the GNOME3 wireless network notification. + + + + + + + + + + + + + Disable WIFI Network Connection Creation in GNOME3 + + Fedora + + + Disable the GNOME3 wireless network creation settings. + + + + + + + + + + + + + Disable the GNOME3 Login User List + + Fedora + + + Disable the GNOME3 GUI listing of all known users on the login screen. + + + + + + + + + + + + + Disable User Administration in GNOME3 + + Fedora + + + Ensure 'user-administration-disabled' is configured with value 'true in section 'org/gnome/desktop/lockdown' in /etc/dconf/db/local.d/ + + + + + + + + + Disable All GNOME3 Thumbnailers + + Fedora + + + The system's default desktop environment, GNOME3, uses a + number of different thumbnailer programs to generate thumbnails for any + new or modified content in an opened folder. Disable the execution of + these thumbnail applications within GNOME3. + + + + + + + + + + + + + Disable the GNOME3 Login Restart and Shutdown Buttons + + Fedora + + + Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen. + + + + + + + + + + + + + Disable Power Settings in GNOME3 + + Fedora + + + Disable GNOME3 power settings. + + + + + + + + + + + + + Disable Geolocation in GNOME3 + + Fedora + + + Disable GNOME3 Geolocation for the clock and system. + + + + + + + + + + + + + + + Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 + + Fedora + + + Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. + + + + + + + + + + + + + Disable GNOME3 autorun + + Fedora + + + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable autorun within GNOME3. + + + + + + + + + + + + + Disable GNOME3 automount-open + + Fedora + + + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable automount-open within GNOME3. + + + + + + + + + + + + + Disable GNOME3 automount + + Fedora + + + The system's default desktop environment, GNOME3, will mount + devices and removable media (such as DVDs, CDs and USB flash drives) + whenever they are inserted into the system. Disable automount within GNOME3. + + + + + + + + + + + + + Enable GNOME3 Login Warning Banner + + Fedora + + + Enable the GNOME3 Login warning banner. + + + + + + + + + + + + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles + + Fedora + + + Make sure that the dconf databases are up-to-date with regards to respective keyfiles. + + + + + + + + + + + + + + Ensure SELinux Not Disabled in the kernel arguments + + Fedora + + + Ensure selinux=0 argument is not present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline. + + + + + + + + + + + + + + + + + + + Disable storing core dump + + Fedora + + + Ensure 'Storage' is configured with value 'none in section 'Coredump' in /etc/systemd/coredump.conf + + + + + + + + Disable core dump backtraces + + Fedora + + + Ensure 'ProcessSizeMax' is configured with value '0 in section 'Coredump' in /etc/systemd/coredump.conf + + + + + + + + Log USBGuard daemon audit events using Linux Audit + + Fedora + + + Ensure 'AuditBackend' is configured with value 'LinuxAudit' in /etc/usbguard/usbguard-daemon.conf + + + + + + + + + + + Configure the tmux Lock Command + + Fedora + + + Check if the vlock command is configured to be used as a locking mechanism in tmux. + + + + + + + + Configure tmux to lock session after inactivity + + Fedora + + + Check if tmux is configured to lock sessions after period of inactivity. + + + + + + + + Configure SSH to use System Crypto Policy + + Fedora + + + SSH should be configured to use the system-wide crypto policy setting. + + + + + + + + Configure OpenSSL library to use System Crypto Policy + + Fedora + + + OpenSSL should be configured to use the system-wide crypto policy setting. + + + + + + + + Configure NSS DB To Use opensc + + Fedora + + + The NSS DB should be set to use opensc library. + + + + + + + + Configure opensc Smart Card Drivers + + Fedora + + + Configure the organization's smart card driver so that only + the smart card in use by the organization will be recognized by the system. + + + + + + + + Configure Libreswan to use System Crypto Policy + + Fedora + + + Libreswan should be configured to use the system-wide crypto policy setting. + + + + + + + + + Configure Kerberos to use System Crypto Policy + + Fedora + + + Kerberos should be configured to use the system-wide crypto policy setting. + + + + + + + + + Configure System Cryptography Policy + + Fedora + + + Ensure crypto policy is correctly configured in /etc/crypto-policies/config, and the policy is current. + + + + + + + + + + + Configure BIND to use System Crypto Policy + + Fedora + + + BIND should be configured to use the system-wide crypto policy setting. + + + + + + + + + Support session locking with tmux + + Fedora + + + Check if tmux is configured to exec at the end of bashrc. + + + + + + + + A remote time server for Chrony is configured + + Fedora + + + A remote NTP Server for time synchronization should be + specified (and dependencies are met) + + + + + + + + Specify Multiple Remote chronyd NTP Servers for Time Data + + Fedora + + + Multiple chronyd NTP Servers for time synchronization should be specified. + + + + + + + + Ensure that chronyd is running under chrony user account + + Fedora + + + Ensure 'OPTIONS' is configured with value '["]?.*-u chrony.*["]?' in /etc/sysconfig/chronyd + + + + + + + + + + + Specify a Remote NTP Server + + Fedora + + + A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met) + + + + + + + + + + + + + + + Specify Additional Remote NTP Servers + + Fedora + + + Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met) + + + + + + + + + + + + + + + Configure Time Service Maxpoll Interval + + Fedora + + + Configure the maxpoll setting in /etc/ntp.conf or chrony.conf + to continuously poll the time source servers. + + + + + + + + + + + + + + + Disable network management of chrony daemon + + Fedora + + + Configure the cmdport setting in /etc/chrony.conf to disable + chronyc management connections over network. + + + + + + + + + Disable chrony daemon from acting as server + + Fedora + + + Configure the port setting in /etc/chrony.conf to disable + server operation. + + + + + + + + + Verify GRUB_DISABLE_RECOVERY Set to true + + Fedora + + + GRUB_DISABLE_RECOVERY set to 'true' in + /etc/default/grub + + + + + + + + Modify the System Message of the Day Banner + + Fedora + + + The system login banner text should be set correctly. + + + + + + + + Modify the System Login Banner + + Fedora + + + The system login banner text should be set correctly. + + + + + + + + Write Audit Logs to the Disk + + Fedora + + + Ensure 'write_logs' is configured with value 'yes' in /etc/audit/auditd.conf + + + + + + + + + Set hostname as computer node name in audit logs + + Fedora + + + Ensure 'name_format' is configured with value 'hostname' in /etc/audit/auditd.conf + + + + + + + + Resolve information before writing to audit logs + + Fedora + + + Ensure 'log_format' is configured with value 'ENRICHED' in /etc/audit/auditd.conf + + + + + + + + Include Local Events in Audit Logs + + Fedora + + + Ensure 'local_events' is configured with value 'yes' in /etc/audit/auditd.conf + + + + + + + + + Set number of records to cause an explicit flush to audit logs + + Fedora + + + Ensure 'freq' is configured with value '50' in /etc/audit/auditd.conf + + + + + + + + Configure auditd space_left Action on Low Disk Space + + Fedora + + + space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + Configure auditd Number of Logs Retained + + Fedora + + + num_logs setting in /etc/audit/auditd.conf is set to at least a certain value + + + + + + + + Configure auditd max_log_file_action Upon Reaching Maximum Log Size + + Fedora + + + max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + Configure auditd Max Log File Size + + Fedora + + + max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value + + + + + + + + Configure auditd flush priority + + Fedora + + + The setting for flush in /etc/audit/auditd.conf + + + + + + + + Configure auditd admin_space_left Action on Low Disk Space + + Fedora + + + admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + Configure auditd mail_acct Action on Low Disk Space + + Fedora + + + action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account + + + + + + + + Configure auditd Disk Full Action when Disk Space Is Full + + Fedora + + + disk_full_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + Configure auditd Disk Error Action on Disk Error + + Fedora + + + disk_error_action setting in /etc/audit/auditd.conf is set to a certain action + + + + + + + + 'log_group' Not Set To 'root' In /etc/audit/auditd.conf + + Fedora + + + Verify 'log_group' is not set to 'root' in + /etc/audit/auditd.conf. + + + + + + + + Configure auditd to use audispd's syslog plugin + + Fedora + + + active setting in /etc/audit/plugins.d/syslog.conf is set to 'yes' + + + + + + + + Encrypt Audit Records Sent With audispd Plugin + + Fedora + + + transport setting in /etc/audit/audisp-remote.conf is set to 'KRB5' + + + + + + + + Configure audispd Plugin To Send Logs To Remote Server + + Fedora + + + remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname + + + + + + + + Record Events that Modify User/Group Information - /etc/shadow + + Fedora + + + Audit user/group modification. + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/passwd + + Fedora + + + Audit user/group modification. + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/security/opasswd + + Fedora + + + Audit user/group modification. + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/gshadow + + Fedora + + + Audit user/group modification. + + + + + + + + + + + + + + + Record Events that Modify User/Group Information - /etc/group + + Fedora + + + Audit user/group modification. + + + + + + + + + + + + + + + Record Events that Modify User/Group Information + + Fedora + + + Audit rules should detect modification to system files that hold information about users and groups. + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - unlinkat + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - unlink + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - truncate + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - setxattr + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - renameat + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Delete Attempts to Files - rename + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - removexattr + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly + + Fedora + + + Audit rules about the information on the unsuccessful use of openat is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE + + Fedora + + + Audit rules about the information on the unsuccessful use of openat O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - openat O_CREAT + + Fedora + + + Audit rules about the information on the unsuccessful use of openat O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - openat + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly + + Fedora + + + Audit rules about the information on the unsuccessful use of open is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE + + Fedora + + + Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - open O_CREAT + + Fedora + + + Audit rules about the information on the unsuccessful use of open O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly + + Fedora + + + Audit rules about the information on the unsuccessful use of open_by_handle_at is configured in the proper rule order. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE + + Fedora + + + Audit rules about the information on the unsuccessful use of open_by_handle_at O_TRUNC is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT + + Fedora + + + Audit rules about the information on the unsuccessful use of open_by_handle_at O_CREAT is enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - open_by_handle_at + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - open + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - lsetxattr + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - lremovexattr + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - lchown + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - ftruncate + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fsetxattr + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fremovexattr + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - fchownat + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - fchown + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fchmodat + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - fchmod + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessful Access Attempts to Files - creat + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Ownership Changes to Files - chown + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Record Unsuccessul Permission Changes to Files - chmod + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) + + Fedora + + + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + + + + + + + + + + + + + Record Attempts to Alter the localtime File + + Fedora + + + Record attempts to alter time through /etc/localtime. + + + + + + + + + + + + + + + Record Attempts to Alter Time Through stime + + Fedora + + + Record attempts to alter time through stime. Note that on + 64-bit architectures the stime system call is not defined in the audit + system calls lookup table. + + + + + + + + + + + + + + + + + + + + + Record attempts to alter time through settimeofday + + Fedora + + + Record attempts to alter time through settimeofday. + + + + + + + + + + + + + + + + + + + + + + + Record Attempts to Alter Time Through clock_settime + + Fedora + + + Record attempts to alter time through clock_settime. + + + + + + + + + + + + + + + + + + + + + + + Record attempts to alter time through adjtimex + + Fedora + + + Record attempts to alter time through adjtimex. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects System Administrator Actions + + Fedora + + + Audit actions taken by system administrators on the system. + + + + + + + + + + + + + + + + + Record Attempts to Alter Process and Session Initiation Information + + Fedora + + + Audit rules should capture information about session initiation. + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl + + Fedora + + + Audit rules about the information on the use of usernetctl is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - userhelper + + Fedora + + + Audit rules about the information on the use of userhelper is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd + + Fedora + + + Audit rules about the information on the use of unix_chkpwd is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - umount + + Fedora + + + Audit rules about the information on the use of umount is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit + + Fedora + + + Audit rules about the information on the use of sudoedit is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - sudo + + Fedora + + + Audit rules about the information on the use of sudo is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - su + + Fedora + + + Audit rules about the information on the use of su is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign + + Fedora + + + Audit rules about the information on the use of ssh_keysign is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown + + Fedora + + + Audit rules about the information on the use of pt_chown is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - passwd + + Fedora + + + Audit rules about the information on the use of passwd is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap + + Fedora + + + Audit rules about the information on the use of newuidmap is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgrp + + Fedora + + + Audit rules about the information on the use of newgrp is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap + + Fedora + + + Audit rules about the information on the use of newgidmap is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - mount + + Fedora + + + Audit rules about the information on the use of mount is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd + + Fedora + + + Audit rules about the information on the use of gpasswd is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - crontab + + Fedora + + + Audit rules about the information on the use of crontab is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chsh + + Fedora + + + Audit rules about the information on the use of chsh is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - chage + + Fedora + + + Audit rules about the information on the use of chage is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands - at + + Fedora + + + Audit rules about the information on the use of at is enabled. + + + + + + + + + + + + + + + Ensure auditd Collects Information on the Use of Privileged Commands + + Fedora + + + Audit rules about the information on the use of privileged commands are enabled. + + + + + + + + + + + + + + + + + Record Events that Modify the System's Network Environment + + Fedora + + + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Network Environment + + Fedora + + + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Network Environment + + Fedora + + + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + + + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Exporting to Media (successful) + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Mandatory Access Controls + + Fedora + + + Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - tallylog + + Fedora + + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - lastlog + + Fedora + + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events - faillock + + Fedora + + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + + + + + + Record Attempts to Alter Logon and Logout Events + + Fedora + + + Audit rules should be configured to log successful and unsuccessful login and logout events. + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading - init_module + + Fedora + + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module + + Fedora + + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Unloading - delete_module + + Fedora + + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects Information on Kernel Module Loading and Unloading + + Fedora + + + The audit rules should be configured to log information about kernel module loading and unloading. + + + + + + + + + + Make the auditd Configuration Immutable + + Fedora + + + Force a reboot to change audit rules is enabled + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlinkat + + Fedora + + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - unlink + + Fedora + + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rmdir + + Fedora + + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - renameat + + Fedora + + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User - rename + + Fedora + + + The deletion of files should be audited. + + + + + + + + + + + + + + + + + + + + + + + Ensure auditd Collects File Deletion Events by User + + Fedora + + + Audit files deletion events. + + + + + + + + + + + + Record Any Attempts to Run seunshare + + Fedora + + + Audit rules about the information on the use of seunshare is enabled. + + + + + + + + + + + + + + + Record Any Attempts to Run setsebool + + Fedora + + + Audit rules about the information on the use of setsebool is enabled. + + + + + + + + + + + + + + + Record Any Attempts to Run semanage + + Fedora + + + Audit rules about the information on the use of semanage is enabled. + + + + + + + + + + + + + + + Record Any Attempts to Run restorecon + + Fedora + + + Audit rules about the information on the use of restorecon is enabled. + + + + + + + + + + + + + + + Record Any Attempts to Run chcon + + Fedora + + + Audit rules about the information on the use of chcon is enabled. + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/shadow + + Fedora + + + Audit rules about the write events to /etc/shadow + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow + + Fedora + + + Audit rules about the write events to /etc/shadow + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/shadow + + Fedora + + + Audit rules about the write events to /etc/shadow + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/passwd + + Fedora + + + Audit rules about the write events to /etc/passwd + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd + + Fedora + + + Audit rules about the write events to /etc/passwd + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/passwd + + Fedora + + + Audit rules about the write events to /etc/passwd + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/gshadow + + Fedora + + + Audit rules about the write events to /etc/gshadow + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow + + Fedora + + + Audit rules about the write events to /etc/gshadow + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/gshadow + + Fedora + + + Audit rules about the write events to /etc/gshadow + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via openat syscall - /etc/group + + Fedora + + + Audit rules about the write events to /etc/group + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group + + Fedora + + + Audit rules about the write events to /etc/group + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify User/Group Information via open syscall - /etc/group + + Fedora + + + Audit rules about the write events to /etc/group + + + + + + + + + + + + + + + + + + + + + + + Enable Syscall Auditing + + Fedora + + + Syscall auditing should not be disabled. + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - umount2 + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - setxattr + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - removexattr + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lsetxattr + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lremovexattr + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - lchown + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fsetxattr + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fremovexattr + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchownat + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchown + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmodat + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - fchmod + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chown + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Events that Modify the System's Discretionary Access Controls - chmod + + Fedora + + + The changing of file permissions and attributes should be audited. + + + + + + + + + + + + + + + + + + + + + + + Record Any Attempts to Run semanage + + Fedora + + + Test if augenrules is enabled for audit rules. + + + + + + + + Record Any Attempts to Run semanage + + Fedora + + + Test if auditctl is in use for audit rules. + + + + + + + + Configure Periodic Execution of AIDE + + Fedora + + + By default, AIDE does not install itself for periodic + execution. Periodically running AIDE is necessary to reveal + unexpected changes in installed files. + + + + + + + + + + + + + + + Build and Test AIDE Database + + Fedora + + + The aide database must be initialized. + + + + + + + + + + Ensure the Default Umask is Set Correctly in /etc/profile + + Fedora + + + The default umask for all users should be set correctly + + + + + + + + + Ensure the Default Umask is Set Correctly in login.defs + + Fedora + + + The default umask for all users specified in /etc/login.defs + + + + + + + + + Set Interactive Session Timeout + + Fedora + + + Checks interactive shell timeout + + + + + + + + + Ensure that Root's Path Does Not Include World or Group-Writable Directories + + Fedora + + + Check each directory in root's path and make use it does + not grant write permission to group and other + + + + + + + + Configure Polyinstantiation of /var/tmp Directories + + Fedora + + + + + + + + + + + + Configure Polyinstantiation of /tmp Directories + + Fedora + + + + + + + + + + + + Set Lockout Time for Failed Password Attempts + + Fedora + + + The unlock time after number of failed logins should be set correctly. + + + + + + + + + + + + + + + Set Interval For Counting Failed Password Attempts + + Fedora + + + The number of allowed failed logins should be set correctly. + + + + + + + + + + + + + Enforce pam_faillock for Local Accounts Only + + Fedora + + + Check presence of local_users_only in /etc/security/faillock.conf + + + + + + + + + Configure the root Account for Failed Password Attempts + + Fedora + + + The root account should be configured to deny access after the number of defined + failed attempts has been reached. + + + + + + + + + + + Set Deny For Failed Password Attempts + + Fedora + + + The number of allowed failed logins should be set correctly. + + + + + + + + + + + + + + + + + + + + + Set Password Warning Age + + Fedora + + + The password expiration warning age should be set appropriately. + + + + + + + + Set number of Password Hashing Rounds - system-auth + + Fedora + + + The number of rounds for password hashing should be set correctly. + + + + + + + + + + + + Set number of Password Hashing Rounds - password-auth + + Fedora + + + The number of rounds for password hashing should be set correctly. + + + + + + + + + + + + Limit Password Reuse + + Fedora + + + The passwords to remember should be set correctly. + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters + + Fedora + + + The password ucredit should meet minimum requirements + + + + + + + + + Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session + + Fedora + + + The password retry should meet minimum requirements + + + + + + + + Check pam_pwquality Existence in system-auth + + Fedora + + + Check that pam_pwquality.so exists in system-auth + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Special Characters + + Fedora + + + The password ocredit should meet minimum requirements + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Length + + Fedora + + + The password minlen should meet minimum requirements + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Different Categories + + Fedora + + + The password minclass should meet minimum requirements + + + + + + + + + Set Password Maximum Consecutive Repeating Characters + + Fedora + + + The password maxrepeat should meet minimum requirements + + + + + + + + + Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class + + Fedora + + + The password maxclassrepeat should meet minimum requirements + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters + + Fedora + + + The password lcredit should meet minimum requirements + + + + + + + + + Check pam_faillock Existence in system-auth + + Fedora + + + Check that pam_faillock.so exists in system-auth + + + + + + + + Ensure PAM Enforces Password Requirements - Enforce for root User + + Fedora + + + Check presence of enforce_for_root in /etc/security/pwquality.conf + + + + + + + + + Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only + + Fedora + + + Check presence of local_users_only in /etc/security/pwquality.conf + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Different Characters + + Fedora + + + The password difok should meet minimum requirements + + + + + + + + + Ensure PAM Enforces Password Requirements - Minimum Digit Characters + + Fedora + + + The password dcredit should meet minimum requirements + + + + + + + + + Set Password Minimum Length in login.defs + + Fedora + + + The password minimum length should be set appropriately. + + + + + + + + Verify All Account Password Hashes are Shadowed + + Fedora + + + All password hashes should be shadowed. + + + + + + + + Verify Only Root Has UID 0 + + Fedora + + + Only the root account should be assigned a user id of 0. + + + + + + + + Set Password Minimum Age + + Fedora + + + The minimum password age policy should be set appropriately. + + + + + + + + Set Password Maximum Age + + Fedora + + + The maximum password age policy should meet minimum requirements. + + + + + + + + Limit the Number of Concurrent Login Sessions Allowed Per User + + Fedora + + + The maximum number of concurrent login sessions per user should meet + minimum requirements. + + + + + + + + + + + + Ensure the Logon Failure Delay is Set Correctly in login.defs + + Fedora + + + The delay between failed authentication attempts should be + set for all users specified in /etc/login.defs + + + + + + + + Ensure Home Directories are Created for New Users + + Fedora + + + CREATE_HOME should be enabled + + + + + + + + Ensure All Accounts on the System Have Unique Names + + Fedora + + + All accounts on the system should have unique names for proper accountability. + + + + + + + + Set Account Expiration Following Inactivity + + Fedora + + + The accounts should be configured to expire automatically following password expiration. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^/etc/sudoers(\.d/.*)?$ + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\) + 1 + + + /etc/dnf/dnf.conf + ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ + 1 + + + /proc/net/wireless + ^\s*[-\w]+: + 1 + + + /etc/securetty + ^vc/[0-9]+$ + 1 + + + /etc/sudoers.d + ^.*$ + ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + /etc/sudoers + ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + oval:ssg-var_umask_for_daemons_umask_as_number:var:1 + + + oval:ssg-var_rfp_syslog_config:var:1 + + + oval:ssg-var_rfp_include_config_regex:var:1 + + + + oval:ssg-object_var_rfp_include_config_regex:obj:1 + oval:ssg-object_var_rfp_syslog_config:obj:1 + + + + oval:ssg-var_rfo_syslog_config:var:1 + + + oval:ssg-var_rfo_include_config_regex:var:1 + + + + oval:ssg-object_var_rfo_include_config_regex:obj:1 + oval:ssg-object_var_rfo_syslog_config:obj:1 + + + + oval:ssg-var_rfg_syslog_config:var:1 + + + oval:ssg-var_rfg_include_config_regex:var:1 + + + + oval:ssg-object_var_rfg_include_config_regex:obj:1 + oval:ssg-object_var_rfg_syslog_config:obj:1 + + + + oval:ssg-var_removable_partition:var:1 + + + /var + + + /var + + + /var + + + /var/log + + + /var/log + + + /var/log + + + /var/log/audit + + + /var/log/audit + + + /var/log/audit + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0600:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0640:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0700:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_not_mode_0750:ste:1 + + + oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 + + + oval:ssg-var_accounts_user_umask_umask_as_number:var:1 + + + ^/etc/sudoers(|\.d/.*)$ + ^[\s]*Defaults.*\buse_pty\b.*$ + 1 + + + /etc/pam.d/su + ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ + 1 + + + + /tmp + + + /tmp + + + /tmp + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !targetpw$\r?\n + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !runaspw$\r?\n + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^Defaults !rootpw$\r?\n + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*banner_file=/etc/issue[\s]*$ + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ + 1 + + + /etc/vsftpd/vsftpd.conf + ^[\s]*xferlog_enable[\s]*=[\s]*YES$ + 1 + + + /etc/crontab + ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + /etc/cron.d + ^.*$ + ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + /sys/firmware/opal + + + + / + [a-z]+ + oval:ssg-state_setuid_or_setgid_set:ste:1 + oval:ssg-state_dev_proc_sys_dirs:ste:1 + + + + + + + + + ^/etc/pam.d/system-auth$ + ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ + 1 + + + oval:ssg-var_password_pam_unix_rounds:var:1 + + + vm.mmap_min_addr + + + user.max_user_namespaces + + + net.ipv6.conf.default.router_solicitations + + + net.ipv6.conf.default.max_addresses + + + net.ipv6.conf.default.autoconf + + + net.ipv6.conf.default.accept_redirects + + + net.ipv6.conf.default.accept_ra_rtr_pref + + + net.ipv6.conf.default.accept_ra_pinfo + + + net.ipv6.conf.default.accept_ra_defrtr + + + net.ipv6.conf.default.accept_ra + + + net.ipv6.conf.all.router_solicitations + + + net.ipv6.conf.all.max_addresses + + + net.ipv6.conf.all.disable_ipv6 + + + net.ipv6.conf.all.autoconf + + + net.ipv6.conf.all.accept_ra_rtr_pref + + + net.ipv6.conf.all.accept_ra_pinfo + + + net.ipv6.conf.all.accept_ra_defrtr + + + net.ipv4.tcp_syncookies + + + net.ipv4.ip_local_port_range + + + net.ipv4.ip_forward + + + net.ipv4.icmp_ignore_bogus_error_responses + + + net.ipv4.icmp_echo_ignore_broadcasts + + + net.ipv4.conf.default.send_redirects + + + net.ipv4.conf.default.secure_redirects + + + net.ipv4.conf.default.rp_filter + + + net.ipv4.conf.default.log_martians + + + net.ipv4.conf.default.accept_source_route + + + net.ipv4.conf.default.accept_redirects + + + net.ipv4.conf.all.send_redirects + + + net.ipv4.conf.all.secure_redirects + + + net.ipv4.conf.all.rp_filter + + + net.ipv4.conf.all.log_martians + + + net.ipv4.conf.all.accept_source_route + + + net.ipv4.conf.all.accept_redirects + + + net.core.bpf_jit_harden + + + kernel.yama.ptrace_scope + + + kernel.unprivileged_bpf_disabled + + + kernel.sysrq + + + kernel.randomize_va_space + + + kernel.pid_max + + + kernel.perf_event_paranoid + + + kernel.perf_event_max_sample_rate + + + kernel.perf_cpu_time_max_percent + + + kernel.modules_disabled + + + kernel.kptr_restrict + + + kernel.kexec_load_disabled + + + kernel.dmesg_restrict + + + kernel.core_pattern + + + fs.suid_dumpable + + + fs.protected_symlinks + + + fs.protected_hardlinks + + + kernel.exec-shield + + + crypto.fips_enabled + + + oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 + + + ^/etc/sudoers(\.d/.*)?$ + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).* + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.conf + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.conf + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /run/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*vm.mmap_min_addr[\s]*=[\s]*65536[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.router_solicitations[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.max_addresses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.autoconf[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_rtr_pref[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_pinfo[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra_defrtr[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_local_port_range[\s]*=[\s]*32768\s*65535[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + (?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.sysrq[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.pid_max[\s]*=[\s]*65536[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_event_max_sample_rate[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.perf_cpu_time_max_percent[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.modules_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sysctl.d + ^.*\.conf$ + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + + + /etc/sssd/sssd.conf + + + oval:ssg-sshd_required:var:1 + + + oval:ssg-sshd_required:var:1 + + + oval:ssg-sshd_required:var:1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ + 1 + + + /srv + + + /etc/snmp/snmpd.conf + ^[\s]*(com2se|rocommunity|rwcommunity) + 1 + + + /etc/snmp/snmpd.conf + ^((?!#).)*(public|private).* + 1 + + + + /etc/pam.d/system-auth + + 1 + + + + /etc/pam.d/smartcard-auth + + 1 + + + + /etc/pam.d/system-auth + + 1 + + + /etc/securetty + ^ttyS[0-9]+$ + 1 + + + /etc/grub.d + ^.*$ + ^.*(selinux|enforcing)=0.*$ + 1 + + + /etc/grub2.cfg + ^.*(selinux|enforcing)=0.*$ + 1 + + + /etc/selinux/config + ^[\s]*SELINUX[\s]*=[\s]*enforcing[\s]*$ + 1 + + + + oval:ssg-state_selinux_dev_unlabeled_t:ste:1 + + + + oval:ssg-state_selinux_dev_device_t:ste:1 + + + /etc/default/grub + ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ + 1 + + + + /proc + ^.*$ + oval:ssg-state_selinux_confinement_of_daemons:ste:1 + + + /etc/rsyslog.conf + ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp)) + 1 + + + + + + + + + + + + + PATH + + + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + + ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 + oval:ssg-state_permissions_ignore_include_paths:ste:1 + + + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 + oval:ssg-state_owner_ignore_include_paths:ste:1 + + + /etc/rsyslog.conf + ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ + 1 + + + + ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ + 1 + oval:ssg-state_groupownership_ignore_include_paths:ste:1 + + + ^/etc/sudoers(|\.d/.*)$ + ^[\s]*Defaults.*\brequiretty\b.*$ + 1 + + + + + + /etc/rsyslog.d + .* + ^\*\.\*[\s]+(?:@|\:omrelp\:) + 1 + + + /etc/rsyslog.conf + ^\*\.\*[\s]+(?:@|\:omrelp\:) + 1 + + + ^.*$ + oval:ssg-state_promisc:ste:1 + + + /proc/sys/kernel/osrelease + ^.*\.(.*)$ + 1 + + + /proc/sys/kernel/osrelease + ^.*\.(.*)$ + 1 + + + /proc/cpuinfo + ^flags\s+:\s+(.*)$ + 1 + + + ^/etc/pam.d/password-auth$ + ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*rounds=([0-9]*).*$ + 1 + + + oval:ssg-var_password_pam_unix_rounds:var:1 + + + /etc/pam.d/system-auth + ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ + 1 + + + /etc/pam_pkcs11/pam_pkcs11.conf + ^[\s]*cert_policy[ ]=(.*)$ + 1 + + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] + 1 + + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] + 1 + + + gpg-pubkey + + + + /var/log/audit + ^.*$ + oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 + + + + /var/log/audit + ^.*$ + oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 + + + + /var/log/audit + + oval:ssg-state_owner_not_root_root_var_log_audit:ste:1 + + + + /var/log/audit + + oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1 + + + /opt + + + + / + + oval:ssg-state_world_writable_and_not_sticky:ste:1 + + + /boot/grub2/grub.cfg + [\s]*noexec[\s]*=[\s]*off + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/sudoers.d + ^.*$ + ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + /etc/sudoers + ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + + + ^/\w.*$ + oval:ssg-state_local_nodev:ste:1 + + + ^/etc/sudoers(|\.d/.*)$ + ^[\s]*Defaults.*\bnoexec\b.*$ + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + /etc/fstab + + 1 + + + ^/etc/sudoers(\.d/.*)?$ + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s] + 1 + + + /root + ^\.(r|s)hosts$ + + + + /home + ^\.(r|s)hosts$ + + + /etc + ^s?hosts\.equiv$ + + + + /home + ^\.netrc$ + + + /etc/shadow + ^\+.*$ + 1 + + + /etc/passwd + ^\+.*$ + 1 + + + /etc/group + ^\+.*$ + 1 + + + /etc/pam.d/system-auth + ^[^#]*\bnullok\b.*$ + 1 + + + /etc/securetty + ^$ + 1 + + + + /etc/systemd/system + ^runlevel1.target$ + + + + /etc/systemd/system + ^rescue.service$ + + + + /etc/systemd/system + ^emergency.target$ + + + + /etc/systemd/system + ^emergency.service$ + + + /etc/fstab + + 1 + + + /etc/sudoers.d + ^.*$ + ^(?!#).*[\s]+\!authenticate.*$ + 1 + + + /etc/sudoers + ^(?!#).*[\s]+\!authenticate.*$ + 1 + + + ^/etc/polkit-1/localauthority/20-org.d/.*$ + ^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$ + 1 + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + multi-user.target + + + /var + + + /var/log + + + /var/log/audit + + + /usr + + + /tmp + + + /srv + + + /opt + + + /home + + + /boot + + + ^/tmp$ + + + /etc/mtab + ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ + 1 + + + ^/var/tmp$ + + + /opt/McAfee/auditengine/bin + auditmanager + + + /opt/McAfee/accm/bin + accm + + + /etc/logwatch/conf/logwatch.conf + ^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$ + 1 + + + /etc/logwatch/conf/logwatch.conf + ^[\s]HostLimit[\s]*=[\s]*no[\s]*$ + 1 + + + /etc/logrotate.conf + ^\s*(weekly|monthly|yearly)[\s#]*$ + 1 + + + /etc/logrotate.conf + ^\s*daily[\s#]*$ + 1 + + + oval:ssg-var_dconf_local_db_modified_time:var:1 + + + + /etc/login.defs + .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n + 1 + + + + /etc/login.defs + .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n + 1 + + + + /etc/login.defs + .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n + 1 + + + oval:ssg-variable_last_pass_warn_age_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_min_len_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_min_days_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_pass_max_days_instance_value:var:1 + + + /etc/login.defs + ^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n + 1 + + + oval:ssg-variable_last_encrypt_method_instance_value:var:1 + + + + /etc/login.defs + .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*options\s+ipv6\s+.*disable=1.*$ + 1 + + + /etc/krb5.conf.d/crypto-policies + + + /etc/crypto-policies/back-ends/krb5.config + + + /run/.containerenv + + + /.dockerenv + + + /etc/sssd/sssd.conf + ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$ + 1 + + + /home + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/efi/EFI/fedora/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ + 1 + + + /boot/efi/EFI/fedora/grub.cfg + ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ + 1 + + + ^/boot/efi/EFI/fedora/grub.cfg + + + ^/boot/efi/EFI/fedora/grub.cfg + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/user.cfg + ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ + 1 + + + /boot/grub2/grub.cfg + ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ + 1 + + + ^/boot/grub2/grub.cfg + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ + 1 + + + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ + 1 + + + /etc/default/grub + ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + /boot/grub2/grubenv + ^kernelopts=(.*)$ + 1 + + + ^/boot/grub2/grub.cfg + + + /etc/group + ^.*:x:([0-9]+): + 1 + + + /etc/passwd + ^.*:[0-9]+:([0-9]+): + 1 + + + ^/etc/opensc.*.conf$ + ^[\s]+force_card_driver[\s]+=[\s]+(\S+);$ + 1 + + + + .* + .* + .* + .* + .* + .* + oval:ssg-state_files_fail_mode:ste:1 + + + + .* + .* + .* + .* + .* + ^/(bin|sbin|lib|lib64|usr)/.+$ + oval:ssg-state_files_fail_md5_hash:ste:1 + + + /sys/firmware/efi + + + + /var/log/messages + oval:ssg-state_file_permissions_var_log_messages_mode_not_0640:ste:1 + + + /var/log/ + + oval:ssg-state_file_permissions_var_log_mode_not_0755:ste:1 + + + + / + .* + oval:ssg-state_file_permissions_ungroupowned:ste:1 + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_world_write:ste:1 + oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1 + oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1 + oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1 + + + /boot + ^System\.map.*$ + + + /etc/ssh/ + ^.*.pub$ + oval:ssg-state_file_permissions_sshd_pub_key_mode_not_0644:ste:1 + + + /etc/ssh/ + ^.*_key$ + oval:ssg-state_file_permissions_sshd_private_key_mode_not_0640:ste:1 + + + ^\/lib(|64)|^\/usr\/lib(|64) + ^.*$ + oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 + oval:ssg-perms_state_symlink:ste:1 + + + ^\/lib(|64)|^\/usr\/lib(|64) + + oval:ssg-state_perms_nogroupwrite_noworldwrite:ste:1 + oval:ssg-perms_state_symlink:ste:1 + + + + /home + + oval:ssg-state_home_dirs_home_itself:ste:1 + oval:ssg-state_home_dirs_wrong_perm:ste:1 + + + /boot/grub2/grub.cfg + oval:ssg-state_file_permissions_grub2_cfg_mode_not_0600:ste:1 + + + /etc/shadow + oval:ssg-state_file_permissions_etc_shadow_mode_not_0000:ste:1 + + + /etc/passwd + oval:ssg-state_file_permissions_etc_passwd_mode_not_0644:ste:1 + + + /etc/motd + oval:ssg-state_file_permissions_etc_motd_mode_not_0644:ste:1 + + + /etc/issue + oval:ssg-state_file_permissions_etc_issue_mode_not_0644:ste:1 + + + /etc/gshadow + oval:ssg-state_file_permissions_etc_gshadow_mode_not_0000:ste:1 + + + /etc/group + oval:ssg-state_file_permissions_etc_group_mode_not_0644:ste:1 + + + /boot/efi/EFI/fedora/grub.cfg + oval:ssg-state_file_permissions_efi_grub2_cfg_mode_not_0700:ste:1 + + + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec + ^.*$ + oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 + oval:ssg-state_perms_binary_files_symlink:ste:1 + + + /etc/shadow- + oval:ssg-state_file_permissions_backup_etc_shadow_mode_not_0000:ste:1 + + + /etc/passwd- + oval:ssg-state_file_permissions_backup_etc_passwd_mode_not_0644:ste:1 + + + /etc/gshadow- + oval:ssg-state_file_permissions_backup_etc_gshadow_mode_not_0000:ste:1 + + + /etc/group- + oval:ssg-state_file_permissions_backup_etc_group_mode_not_0644:ste:1 + + + ^\/lib(|64)\/|^\/usr\/lib(|64)\/ + ^.*$ + oval:ssg-state_owner_libraries_not_root:ste:1 + + + ^\/lib(|64)\/|^\/usr\/lib(|64)\/ + + oval:ssg-state_owner_libraries_not_root:ste:1 + + + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec + ^.*$ + oval:ssg-state_owner_binaries_not_root:ste:1 + + + ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec + + oval:ssg-state_owner_binaries_not_root:ste:1 + + + /var/log/messages + + + /var/log/ + + + + /boot/grub2/grub.cfg + + + /etc/shadow + + + /etc/passwd + + + /etc/motd + + + /etc/issue + + + /etc/gshadow + + + /etc/group + + + /boot/efi/EFI/fedora/grub.cfg + + + /etc/shadow- + + + /etc/passwd- + + + /etc/gshadow- + + + /etc/group- + + + /var/log/messages + + + /var/log/ + + + + /boot/grub2/grub.cfg + + + /etc/shadow + + + /etc/passwd + + + /etc/motd + + + /etc/issue + + + /etc/gshadow + + + /etc/group + + + /boot/efi/EFI/fedora/grub.cfg + + + /etc/shadow- + + + /etc/passwd- + + + /etc/gshadow- + + + /etc/group- + + + /etc/system-release-cpe + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + 1 + + + fedora-release.* + + + /etc/system-fips + + + /etc/selinux/config + ^SELINUX=(.*)$ + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ + 1 + + + /etc/security/limits.conf + ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ + 1 + + + /etc/securetty + ^.*$ + 1 + + + /etc/profile.d + ^.*\.sh$ + ^[\s]*TMOUT=([\w$]+).*$ + 1 + + + /etc/profile + ^[\s]*TMOUT=([\w$]+).*$ + 1 + + + /etc/passwd + ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ + 1 + + + /etc/passwd + ^([^:]+):.*$ + 1 + + + /etc/libuser.conf + ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ + 1 + + + /etc/default/useradd + ^\s*INACTIVE\s*=\s*(\d+)\s*$ + 1 + + + /etc/dnf/dnf.conf + ^\s*gpgcheck\s*=\s*1\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+task,never[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+task,never[\s]*$ + 1 + + + /etc/dracut.conf.d/40-fips.conf + ^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$ + 1 + + + /etc/systemd/system/default.target + + + /etc/systemd/system/ctrl-alt-del.target + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + /dev/shm + + + /dev/shm + + + /dev/shm + + + + /dev + ^.*$ + oval:ssg-state_block_or_char_device_file:ste:1 + + + /etc/sysconfig/kernel + ^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$ + 1 + + + /etc/crypto-policies/back-ends/nss.config + + + oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 + + + /etc/cron.daily/logrotate + ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ + 1 + + + oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 + + + oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 + + + ^/proc/cmdline + ^BOOT_IMAGE(.*)$ + 1 + + + ^/boot/loader/entries/ostree-2-.*.conf + ^options (.*)$ + 1 + + + ^/boot/loader/entries/ostree-1-.*.conf + ^options (.*)$ + 1 + + + ^/boot/loader/entries/ostree-2-.*.conf + + + /etc/security/limits.conf + ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:hard|-)[\s]+core + 1 + + + /etc/security/limits.d + ^.*\.conf$ + ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) + 1 + + + /etc/sysconfig/sshd + ^\s*CRYPTO_POLICY\s*=.*$ + 1 + + + /etc/pki/tls/openssl.cnf + ^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config\s*$ + 1 + + + /etc/pki/nssdb/pkcs11.txt + ^library=opensc.*.so$ + 1 + + + ^/etc/opensc.*.conf$ + ^[\s]+card_drivers[\s]+=[\s]+(\S+);$ + 1 + + + /etc/fstab + ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ + 1 + + + /etc/ipsec.conf + ^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$ + 1 + + + /etc/crypto-policies/state/current + ^(?!#)(\S+)$ + 1 + + + /etc/crypto-policies/config + ^(?!#)(\S+)$ + 1 + + + /etc/named.conf + ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^[\s]*(?:server|pool)[\s]+.+$ + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^([\s]*server[\s]+.+$){2,}$ + 1 + + + /boot/grub2/grub.cfg + ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ + 1 + + + /boot/efi/EFI/fedora/grub.cfg + ^[\s]*set[\s]+superusers="(?i)(?!root|admin|administrator)(?-i).*"$ + 1 + + + /boot/efi/EFI/fedora/grub.cfg + ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ + 1 + + + /boot/grub2/grub.cfg + ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ + 1 + + + /etc/default/grub + ^\s*GRUB_DISABLE_RECOVERY=(.*)$ + 1 + + + /boot + + + /boot + + + /boot + + + /boot + + + + /etc/motd + ^(.*)$ + 1 + + + + ^/etc/issue(\.d/.*)?$ + ^(.*)$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + /etc/audit/auditd.conf + ^[ ]*log_group[ ]+=[ ]+root[ ]*$ + 1 + + + /etc/audit/plugins.d/syslog.conf + ^[ ]*active[ ]+=[ ]+yes[ ]*$ + 1 + + + /etc/audit/audisp-remote.conf + ^[ ]*transport[ ]+=[ ]+KRB5[ ]*$ + 1 + + + /etc/audit/audisp-remote.conf + ^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /usr/lib/systemd/system/auditd.service + ^ExecStartPost=\-\/sbin\/augenrules.*$ + 1 + + + /usr/lib/systemd/system/auditd.service + ^ExecStartPost=\-\/sbin\/auditctl.*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 + + + /etc/audit/audit.rules + ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+\/var\/log\/tallylog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + /etc/audit/audit.rules + ^\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^\-e\s+2\s*$ + 1 + + + /etc/audit/audit.rules + ^\-e\s+2\s*$ + 1 + + + /var/spool/cron/root + ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + /etc/aide.conf + ^database=file:@@{DBDIR}/([a-z.]+)$ + 1 + + + + + + ^/etc/cron.(daily|weekly)$ + ^.*$ + ^\s*/usr/sbin/aide[\s]*\-\-check.*$ + 1 + + + /etc/aide.conf + ^database_out=file:@@{DBDIR}/([a-z.]+)$ + 1 + + + + + + /etc/aide.conf + ^@@define[\s]DBDIR[\s]+(/.*)$ + 1 + + + + PATH + + + + + oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 + oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 + + + /etc/pam.d/system-auth + + 1 + + + /etc/pam.d/password-auth + + 1 + + + + oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_system-auth:obj:1 + oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:obj:1 + + + + + oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:obj:1 + oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_password-auth:obj:1 + + + + + oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1 + oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1 + + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+\[.*default=([0-9]+).*\][\s]+pam_unix\.so + 1 + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+\[[^\]]*default=([0-9]+)[^\]]*\][\s]+pam_unix\.so + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/password-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=(\w*).*$ + 1 + + + /etc/pam.d/system-auth + ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+) + 1 + + + /etc/pam.d/password-auth + [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+) + 1 + + + /etc/pam.d/system-auth + ^\s*account\s+required\s+pam_faillock\.so.*$ + 1 + + + /etc/pam.d/password-auth + ^\s*account\s+required\s+pam_faillock\.so.*$ + 1 + + + /etc/pam.d/system-auth + [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/password-auth + [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$ + 1 + + + .* + + + /etc/passwd + ^(?!root:)[^:]*:[^:]*:0 + 1 + + + /etc/login.defs + ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + + 1 + + + /etc/audit/audit.rules + + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + 1 + + + /etc/wrlinux-release + ^VERSION=.8\.0.*$ + 1 + + + /etc/os-release + ^VERSION=.10\.19.*$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)"$ + 1 + + + /var/tmp/tmp-inst + + + + /etc/security/namespace.conf + ^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-delay$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/session/idle-delay$ + 1 + + + ^/etc/usbguard/(rules|rules\.d/.*)\.conf$ + ^.*\S+.*$ + 1 + + + + + /etc/profile + ^[\s]*umask[\s]+([^#\s]*) + 1 + + + /etc/login.defs + ^[\s]*UMASK[\s]+([^#\s]*) + 1 + + + /etc/init.d/functions + ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) + 1 + + + oval:ssg-var_etc_init_d_functions_umask_as_number:var:1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=xenial$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=focal$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=bionic$ + 1 + + + /etc/lsb-release + ^DISTRIB_ID=Ubuntu$ + 1 + + + /tmp/tmp-inst + + + + /etc/security/namespace.conf + ^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$ + 1 + + + dnf-automatic\.timer + ActiveState + + + usbguard + + + systemd + + + syslogng + + + rsyslog + + + sssd-common + + + openssh-server + + + rsyslog + + + rsync-daemon + + + nfs-utils + + + nfs-utils + + + nfs-utils + + + rng-tools + + + pcsc-lite + + + ntp + + + ntp + + + nfs-utils + + + nfs-utils + + + netfs + + + iptables + + + iptables-ipv6 + + + firewalld + + + systemd + + + cronie + + + cron + + + chrony + + + bluez + + + autofs + + + audit + + + at + + + xorg-x11-server-common + + + vsftpd + + + vsftpd + + + vim + + + usbguard + + + tuned + + + tmux + + + telnetd + + + telnetd-ssl + + + tar + + + syslogng + + + sudo + + + sssd-ipa + + + setroubleshoot + + + setroubleshoot-server + + + setroubleshoot-plugins + + + sendmail + + + screen + + + scap-security-guide + + + samba-common + + + rsyslog + + + rsyslog-gnutls + + + rng-tools + + + rear + + + prelink + + + policycoreutils + + + pcsc-lite + + + pam_ldap + + + openssl-pkcs11 + + + openssh-server + + + openssh-server + + + openscap-scanner + + + opensc + + + openldap-clients + + + ntpdate + + + ntp + + + nss-tools + + + nis + + + nfs-utils + + + net-snmp + + + mcstrans + + + libselinux + + + libreswan + + + libcap-ng-utils + + + krb5-workstation + + + iptables + + + iprutils + + + inetutils-telnetd + + + gssproxy + + + gnutls-utils + + + geolite2-country + + + geolite2-city + + + gdm + + + gdm + + + fapolicyd + + + esc + + + dnf-automatic + + + dconf + + + cryptsetup-luks + + + cron + + + chrony + + + binutils + + + bind + + + avahi + + + audit + + + audit-audispd-plugins + + + audispd-plugins + + + aide + + + abrt + + + abrt-plugin-sosreport + + + abrt-plugin-rhtsupport + + + abrt-plugin-logger + + + abrt-cli + + + abrt-addon-python + + + abrt-addon-kerneloops + + + abrt-addon-ccpp + + + MFEhiplsm + + + GConf2 + + + ntp + + + chrony + + + oval:ssg-var_system_crypto_policy:var:1 + + + /etc/sysconfig/network + ^[\s]*NOZEROCONF[\s]*=[\s]*yes + 1 + + + ^/etc/sssd/(sssd|conf\.d/.*)\.conf$ + ^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*) + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[ssh](?:[^\n\[]*\n+)+?[\s]*ssh_known_hosts_timeout[\s]*=[\s]*(\d+)$ + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$ + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[nss](?:[^\n\[]*\n+)+?[\s]*memcache_timeout[\s]*=[\s]*(\d+)$ + 1 + + + /etc/sssd/sssd.conf + ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*true$ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)UsePrivilegeSeparation(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PrintLastLog(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)StrictModes(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:#.*)?$ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/sshd_config + ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$ + 1 + + + SLES_SAP-release + + + SLES_SAP-release + + + + sles-release + + + sled-release + + + + sles-release + + + sled-release + + + sl-release + + + sl-release + + + ^usbguard\.(socket|service)$ + ActiveState + + + ^syslogng\.(socket|service)$ + ActiveState + + + ^rsyslog\.(socket|service)$ + ActiveState + + + ^rngd\.(socket|service)$ + ActiveState + + + ^pcscd\.(socket|service)$ + ActiveState + + + ^ntpd\.(socket|service)$ + ActiveState + + + ^ntp\.(socket|service)$ + ActiveState + + + ^iptables\.(socket|service)$ + ActiveState + + + ^ip6tables\.(socket|service)$ + ActiveState + + + ^firewalld\.(socket|service)$ + ActiveState + + + ^crond\.(socket|service)$ + ActiveState + + + ^cron\.(socket|service)$ + ActiveState + + + ^chronyd\.(socket|service)$ + ActiveState + + + ^auditd\.(socket|service)$ + ActiveState + + + ^systemd-coredump\.(service|socket)$ + ActiveState + + + ^syslog\.(service|socket)$ + ActiveState + + + ^sssd\.(service|socket)$ + ActiveState + + + ^sshd\.(service|socket)$ + ActiveState + + + ^rsyncd\.(service|socket)$ + ActiveState + + + ^rpcsvcgssd\.(service|socket)$ + ActiveState + + + ^rpcidmapd\.(service|socket)$ + ActiveState + + + ^rpcgssd\.(service|socket)$ + ActiveState + + + ^nfslock\.(service|socket)$ + ActiveState + + + ^nfs-server\.(service|socket)$ + ActiveState + + + ^netfs\.(service|socket)$ + ActiveState + + + ^debug-shell\.(service|socket)$ + ActiveState + + + ^bluetooth\.(service|socket)$ + ActiveState + + + ^autofs\.(service|socket)$ + ActiveState + + + ^atd\.(service|socket)$ + ActiveState + + + ^systemd-coredump\.(service|socket)$ + LoadState + + + ^syslog\.(service|socket)$ + LoadState + + + ^sssd\.(service|socket)$ + LoadState + + + ^sshd\.(service|socket)$ + LoadState + + + ^rsyncd\.(service|socket)$ + LoadState + + + ^rpcsvcgssd\.(service|socket)$ + LoadState + + + ^rpcidmapd\.(service|socket)$ + LoadState + + + ^rpcgssd\.(service|socket)$ + LoadState + + + ^nfslock\.(service|socket)$ + LoadState + + + ^nfs-server\.(service|socket)$ + LoadState + + + ^netfs\.(service|socket)$ + LoadState + + + ^debug-shell\.(service|socket)$ + LoadState + + + ^bluetooth\.(service|socket)$ + LoadState + + + ^autofs\.(service|socket)$ + LoadState + + + ^atd\.(service|socket)$ + LoadState + + + ^systemd-coredump\.(service|socket)$ + FragmentPath + + + ^syslog\.(service|socket)$ + FragmentPath + + + ^sssd\.(service|socket)$ + FragmentPath + + + ^sshd\.(service|socket)$ + FragmentPath + + + ^rsyncd\.(service|socket)$ + FragmentPath + + + ^rpcsvcgssd\.(service|socket)$ + FragmentPath + + + ^rpcidmapd\.(service|socket)$ + FragmentPath + + + ^rpcgssd\.(service|socket)$ + FragmentPath + + + ^nfslock\.(service|socket)$ + FragmentPath + + + ^nfs-server\.(service|socket)$ + FragmentPath + + + ^netfs\.(service|socket)$ + FragmentPath + + + ^debug-shell\.(service|socket)$ + FragmentPath + + + ^bluetooth\.(service|socket)$ + FragmentPath + + + ^autofs\.(service|socket)$ + FragmentPath + + + ^atd\.(service|socket)$ + FragmentPath + + + /etc/selinux/config + ^SELINUXTYPE=([\w]*)[\s]*$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=(string[\s])?\'\'$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^lock-delay[\s=]*uint32[\s]([^=\s]*) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^idle-delay[\s=]*uint32[\s]([^=\s]*) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?show-full-name-in-top-bar=false$ + 1 + + + ^/etc/rsyslog\.(conf|d/.+\.conf)$ + ^\s*global\(DefaultNetstreamDriverCAFile="(.+?)"\)\s*\n + 0 + + + + ^/etc/rsyslog\.(conf|d/.+\.conf)$ + ^\s*action\((?i)type(?-i)="omfwd"(.+?)\) + 0 + + + /etc/aliases + ^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$ + 1 + + + redhat-release-virtualization-host + + + rhosp-release + + + rhosp-release + + + rhvm-appliance + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + + redhat-release + + + + redhat-release + + + redhat-release-workstation + + + + redhat-release-server + + + redhat-release-computenode + + + redhat-release-client + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)\.\d+"$ + 1 + + + /usr/lib/systemd/system/runlevel1.target + ^Requires=.*rescue.service + 1 + + + /usr/lib/systemd/system/rescue.service + ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue + 1 + + + /usr/lib/systemd/system/emergency.target + ^Requires=.*emergency.service + 1 + + + /usr/lib/systemd/system/emergency.service + ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency + 1 + + + /etc/dconf/db/local.d/locks + ^.*$ + ^/org/gnome/desktop/lockdown/user-administration-disabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/system/location/enabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/picture-uri$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-enabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-enabled$ + 1 + + + /etc/dconf/db/local.d/locks + ^.*$ + ^/org/gnome/settings-daemon/peripherals/smartcard/removal-action$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/Vino/require-encryption$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/Vino/authentication-methods$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/settings-daemon/plugins/power/active$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/lock-delay$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/media-handling/autorun-never$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/media-handling/automount-open$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/media-handling/automount$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/nm-applet/suppress-wireless-networks-available$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/nm-applet/disable-wifi-create$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/disable-restart-buttons$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/settings-daemon/plugins/media-keys/logout$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/disable-user-list$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/enable-smartcard-authentication$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/clocks/geolocation$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/session/idle-delay$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/idle-activation-enabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/screensaver/idle-activation-enabled$ + 1 + + + /etc/dconf/db/local.d/locks/ + ^.*$ + ^/org/gnome/desktop/thumbnailers/disable-all$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/banner-message-enable$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/banner-message-text$ + 1 + + + /etc/dconf/db/gdm.d/locks/ + ^.*$ + ^/org/gnome/login-screen/allowed-failures$ + 1 + + + /etc/security/pwquality.conf + ^ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ + 1 + + + /etc/security/pwquality.conf + ^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^minlen[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^minclass[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^maxrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^maxclassrepeat[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^difok[\s]*=[\s]*(\d+)(?:[\s]|$) + 1 + + + /etc/security/pwquality.conf + ^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ + 1 + + + kernel-PAE + + + openSUSE-release + + + openSUSE-release + + + openSUSE-release + + + openssh-server + + + oraclelinux-release + + + oraclelinux-release + + + /usr/lib/systemd/system/ntpd.service + ^[\s]*ExecStart=.*-u ntp:ntp.*$ + 1 + + + /etc/sysconfig/ntpd + ^[\s]*OPTIONS=.*-u ntp:ntp.*$ + 1 + + + /etc/ntp.conf + ^([\s]*server[\s]+.+$){2,}$ + 1 + + + /etc/ntp.conf + ^[\s]*restrict[\s]+-6[\s]+default(?=.*kod)(?=.*nomodify)(?=.*notrap)(?=.*nopeer)(?=.*noquery).*$ + 1 + + + /etc/ntp.conf + ^[\s]*restrict[\s]+(-4[\s]*)?default(?=.*kod)(?=.*nomodify)(?=.*notrap)(?=.*nopeer)(?=.*noquery).*$ + 1 + + + /etc/ntp.conf + ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) + 1 + + + /etc/ntp.conf + ^[\s]*server[\s]+.+$ + 1 + + + /etc/ntp.conf + ^server[\s]+[\S]+[\s]+(.*) + 1 + + + /etc/shells + tmux$ + 1 + + + /etc/exports + ^(.*?(\binsecure_locks\b)[^$]*)$ + 1 + + + /etc/sysconfig/network-scripts + ifcfg-.* + ^IPV6ADDR=.+$ + 1 + + + /etc/sysconfig/network-scripts + ifcfg-.* + ^IPV6_PRIVACY=rfc3041$ + 1 + + + /etc/netconfig + ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ + 1 + + + /etc/netconfig + ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ + 1 + + + /etc/sysconfig/network-scripts + ifcfg-.* + ^IPV6_DEFAULTGW=.+$ + 1 + + + /etc/os-release + ^NAME=.Wind[\s]+River[\s]+Linux.*$ + 1 + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + MFErt + + + MFEcma + + + /etc/lsb-release + + + McAfeeVSEForLinux + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+vfat\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+udf\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+rds\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+can\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$ + 1 + + + /run/modules-load.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /run/modprobe.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.conf + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modules-load.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /usr/lib/modprobe.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modules-load.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+atm\s+(/bin/false|/bin/true)$ + 1 + + + ^/etc/.+\.keytab$ + + + /etc/crypto-policies/back-ends/opensshserver.config + ^(?:.*\n)*\s*CRYPTO_POLICY=(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*RekeyLimit[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*PubkeyAcceptedKeyTypes[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^[ \t]*Match[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*MACs[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*KexAlgorithms[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*GSSAPIAuthentication[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/ssh/ssh_config.d/02-ospp.conf + ^Match final all(?:.* +)*?\s*Ciphers[\s]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/default/grub + ^[ \t]*GRUB_CMDLINE_LINUX=([^#]*).*$ + 1 + + + ^/etc/gdm/custom.conf + + + /etc/gdm/custom.conf + ^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^banner-message-text=[\s]*'*(.*?)'$ + 1 + + + /etc/firewalld/firewalld.conf + ^DefaultZone=drop$ + 1 + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1 + oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1 + + + + .* + .* + .* + .* + .* + + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1 + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1 + oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1 + + + + .* + .* + .* + .* + .* + + + + + / + ^.*$ + oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1 + + + s390utils-base + + + yum + + + systemd + + + sudo + + + sssd-common + + + pam + + + nss-pam-ldapd + + + net-snmp + + + shadow-utils + + + libuser + + + grub2-common + + + gdm + + + /etc/yum.repos.d + .* + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + + + /etc/pam.d/login + ^\s*session\s+required\s+pam_namespace\.so\s*$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$ + 1 + + + ^/etc/dnf/automatic.conf + + + /etc/dnf/automatic.conf + ^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/dnf/automatic.conf + + + /etc/dnf/automatic.conf + ^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/pam.d/login + ^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+silent(\s|$) + 1 + + + + /etc/pam.d/postlogin + [\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n] + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/nm-applet]([^\n]*\n+)+?suppress-wireless-networks-available=true$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/nm-applet]([^\n]*\n+)+?disable-wifi-create=true$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/system/location]([^\n]*\n+)+?enabled=false$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-restart-buttons=true$ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+ + 1 + + + /etc/ssh/sshd_config + ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) + 1 + + + /etc/gdm/custom.conf + ^\[daemon]([^\n]*\n+)+?TimedLoginEnable=[Ff]alse$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/settings-daemon/plugins/power]([^\n]*\n+)+?active=false$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout[\s]*=[\s]*''$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/clocks]([^\n]*\n+)+?geolocation=false$ + 1 + + + /etc/gdm/custom.conf + ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ + 1 + + + /etc/debian_version + ^9.[0-9]+$ + 1 + + + /etc/debian_version + ^10.[0-9]+$ + 1 + + + /etc/debian_version + + + /etc/dconf/profile/user + ^user-db:user\nsystem-db:local$ + 1 + + + /etc/dconf/db/local + + + ^/etc/dconf/db/local.d/.* + + + /etc/dconf/db/local.d/ + ^.*$ + ^\s*\[org/gnome/settings-daemon/peripherals/smartcard\].*(?:\n\s*[^[\s].*)*\n^\s*removal-action[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\s*\[org/gnome/desktop/lockdown\].*(?:\n\s*[^[\s].*)*\n^\s*user-administration-disabled[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$ + 1 + + + /etc/rsyslog.d + ^.*$ + ^[\s]*cron\.\*[\s]+/var/log/cron$ + 1 + + + /etc/rsyslog.conf + ^[\s]*cron\.\*[\s]+/var/log/cron$ + 1 + + + /etc/systemd/coredump.conf + ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/systemd/coredump.conf + ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + ^/etc/usbguard/usbguard-daemon.conf + + + /etc/usbguard/usbguard-daemon.conf + ^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#) + 1 + + + /etc/tmux.conf + ^\s*set\s+-g\s+lock-command\s+vlock\s*(?:#.*)?$ + 1 + + + /etc/tmux.conf + ^\s*set\s+-g\s+lock-after-time\s+900\s*(?:#.*)?$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/Vino]([^\n]*\n+)+?require-encryption=true$ + 1 + + + /etc/dconf/db/local.d/ + ^.*$ + ^\[org/gnome/Vino]([^\n]*\n+)+?authentication-methods=\['vnc'\]$ + 1 + + + + /etc/bashrc + ^(.*)$ + 1 + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?allowed-failures=3$ + 1 + + + ^/etc/sysconfig/chronyd + + + /etc/sysconfig/chronyd + ^[ \t]*OPTIONS=(.+?)[ \t]*(?:$|#) + 1 + + + /etc/chrony.conf + ^\s*port[\s]+(\S+) + 1 + + + /etc/chrony.conf + ^\s*cmdport[\s]+(\S+) + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) + 1 + + + ^/etc/chrony\.(conf|d/.+\.conf)$ + ^server[\s]+[\S]+[\s]+(.*) + 1 + + + centos-release + + + centos-release + + + /etc/dconf/db/gdm.d/ + ^.*$ + ^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$ + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]* + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)log_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]* + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + /etc/audit/auditd.conf + ^[ \t]*(?i)freq(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + + + oval:ssg-var_etc_profile_umask_as_number:var:1 + + + oval:ssg-var_etc_login_defs_umask_as_number:var:1 + + + /etc/security/faillock.conf + ^[\s]*local_users_only[\s]*$ + 1 + + + /etc/pam.d/system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$ + 1 + + + /etc/security/pwquality.conf + ^[\s]*enforce_for_root[\s]*$ + 1 + + + /etc/security/pwquality.conf + ^[\s]*local_users_only[\s]*$ + 1 + + + /etc/login.defs + ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:#.*)?$ + 1 + + + /proc/cpuinfo + ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ + 1 + + + .* + + + + / + .* + oval:ssg-file_permissions_unowned_userid_list_match:ste:1 + + + /etc/group + ^[^:]+:[^:]*:([\d]+):[^:]*$ + 1 + + + ^\/lib(|64)|^\/usr\/lib(|64) + + oval:ssg-dir_state_perms_nogroupwrite_noworldwrite:ste:1 + oval:ssg-dir_perms_state_symlink:ste:1 + + + /etc/crypto-policies/state/current + + + /etc/crypto-policies/config + + + + / + + oval:ssg-state_uid_is_not_root_and_world_writable:ste:1 + + + + / + + oval:ssg-state_uid_is_user_and_world_writable:ste:1 + + + + / + + oval:ssg-state_gid_is_user_and_world_writable:ste:1 + + + + + + + + ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ + + + + + + + + + false + true + + + 8 + + + directory + false + false + false + false + false + false + false + false + false + + + /dev/cdrom + + + nosuid + + + noexec + + + nodev + + + nosuid + + + noexec + + + nodev + + + nosuid + + + noexec + + + nodev + + + 0 + + + + + + 0 + + + unix + + + unix + + + unix + + + 0 + + + + + + 1000 + true + + + 0 + true + + + + + + + + + + + + nosuid + + + noexec + + + nodev + + + directory + false + false + false + false + false + false + false + false + false + + + active + + + + + + 0 + + + + + + usbguard.socket + + + usbguard.service + + + syslogng.socket + + + syslogng.service + + + rsyslog.socket + + + rsyslog.service + + + rngd.socket + + + rngd.service + + + pcscd.socket + + + pcscd.service + + + ntpd.socket + + + ntpd.service + + + ntp.socket + + + ntp.service + + + iptables.socket + + + iptables.service + + + ip6tables.socket + + + ip6tables.service + + + firewalld.socket + + + firewalld.service + + + dnf-automatic.timer + + + crond.socket + + + crond.service + + + cron.socket + + + cron.service + + + chronyd.socket + + + chronyd.service + + + auditd.socket + + + auditd.service + + + x86_64 + + + i686 + + + s390x + + + ppc64le + + + ppc64 + + + aarch64 + + + + + + + + + 65536 + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + + + + + + + + + + + + + + 32768\s*65535 + + + 0 + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + + + + + + + + 2 + + + 1 + + + 1 + + + 0 + + + 2 + + + 65536 + + + 2 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + 1 + + + |/bin/false + + + 0 + + + 1 + + + 1 + + + 1 + + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sssd + + + + + + + + + ^yes$ + + + + + + ^VERBOSE$ + + + ^INFO$ + + + ^0$ + + + 0 + + + 2 + + + ^yes$ + + + 1 + + + ^yes$ + + + ^/etc/issue$ + + + ^yes$ + + + ^yes$ + + + ^no$ + + + ^no$ + + + ^yes$ + + + ^no$ + + + ^prohibit-password$ + + + ^no$ + + + ^yes$ + + + ^no$ + + + ^no$ + + + ^no$ + + + ^no$ + + + + + + + + + nosuid + + + ^15.*$ + + + ^12.*$ + + + unix + + + ^15.*$ + + + ^15.*$ + + + unix + + + ^12.*$ + + + ^12.*$ + + + ^7.*$ + + + ^6.*$ + + + true + true + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + active + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + inactive + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + masked + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + /dev/null + + + maxpoll \d+ + + + + + + unlabeled_t + + + device_t + + + unconfined_service_t + + + + + + + + + (?=[\S\s]*\s(?i)protocol(?-i)="tcp")(?=[\S\s]*\s(?i)Target(?-i)="[^"]+?")(?=[\S\s]*\s(?i)port(?-i)="6514")(?=[\S\s]*\s(?i)StreamDriver(?-i)="gtls")(?=[\S\s]*\s(?i)StreamDriverMode(?-i)="1")(?=[\S\s]*\s(?i)StreamDriverAuthMode(?-i)="x509/name")(?=[\S\s]*\s(?i)StreamDriver\.CheckExtendedKeyPurpose(?-i)="on") + + + regular + false + false + false + false + false + false + false + + + regular + 0 + + + regular + 0 + + + + + + 0:4.4 + + + ^13.*$ + + + ^10.*$ + + + ^4.*$ + + + 9 + + + 8 + + + 7 + + + unix + + + ^9.*$ + + + unix + + + ^8.*$ + + + ^7.*$ + + + unix + + + ^7.*$ + + + ^7.*$ + + + ^7.*$ + + + rhcos + + + 4 + + + + + + PROMISC + + + ^s390x$ + + + ^(x86_64|aarch64|ppc64le|s390x)$ + + + \blm\b + + + true + true + + + symbolic link + + + true + true + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^.*ocsp_on.*$ + + + 5b6eac67 + cfc659b9 + + + 5c6ae44d + 3c3359c4 + + + 5d5156ab + 12c944d0 + + + 0 + + + 0 + 0 + + + 0 + 0 + + + 0 + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + + 0 + + + nosuid + + + ^42.*$ + + + ^15.*$ + + + openSUSE-release + + + 0:7.4 + + + ^8.*$ + + + ^7.*$ + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + + + ^.*,?nosuid,?.* + + + ^.*,?nosuid,?.*$ + + + ^.*,?noexec,?.* + + + ^.*,?noexec,?.*$ + + + ^.*,?nodev,?.* + + + ^.*,?nodev,?.*$ + + + ResultActive=auth_admin + + + centos + + + + + + + + + 0 + + + + + + + + + 0 + + + /etc/crypto-policies/back-ends/krb5.config + + + ^/dev/.*$ + nodev + + + + + + + + + + + + + + + + + + + + + noexec + + + true + true + true + true + true + true + true + + + /home + + + ^'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'$ + + + ^512M 1h$ + + + ^ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256$ + + + ^final all$ + + + ^hmac-sha2-512,hmac-sha2-256$ + + + ^ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1$ + + + ^no$ + + + ^aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc$ + + + ^(?:.*\s)?vsyscall=none(?:\s.*)?$ + + + ^(?:.*\s)?slub_debug=P(?:\s.*)?$ + + + ^(?:.*\s)?pti=on(?:\s.*)?$ + + + ^(?:.*\s)?page_poison=1(?:\s.*)?$ + + + ^.*\bnousb\b.*$ + + + ^(?:.*\s)?ipv6\.disable=1(?:\s.*)?$ + + + ^(?:.*\s)?iommu=force(?:\s.*)?$ + + + ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ + + + ^(?:.*\s)?audit=1(?:\s.*)?$ + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + + ^false$ + + + + + + 1000 + true + + + + + + + + + fail + + + fail + false + false + + + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + + + + ^/sys/.*$ + + + ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ + + + ^/proc/.*$ + + + regular + true + + + true + + + + + + true + + + + + + false + false + false + false + false + false + false + false + false + false + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + true + true + true + true + + + true + true + true + true + true + true + true + true + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + + + + + + + + + + -1 + + + + + + [:\.]$ + + + fips + + + ^security$ + + + ^yes$ + + + /etc/systemd/system/default.target + ^(/usr)?/lib/systemd/system/multi-user.target$ + + + ^no$ + + + /etc/systemd/system/ctrl-alt-del.target + /dev/null + + + nosuid + + + noexec + + + nodev + + + ^\/(dev|proc|sys)\/.*$ + + + ^lock-screen$ + + + ^true$ + + + + + + + + + + + + ^(?:.*\s)?selinux=0(?:\s.*)?$ + + + ^(?:.*\s)?selinux=0(?:\s.*)?$ + + + ^(?:.*\s)?selinux=0(?:\s.*)?$ + + + ^(?i)none(?-i)$ + + + ^(?i)0(?-i)$ + + + 0 + + + 0 + + + 0 + + + [^\\]:[^/] + + + \.\. + + + :: + + + ^LinuxAudit$ + + + + + + + + + + + + if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi + + + ^["]?.*-u chrony.*["]?$ + + + 0 + + + 0 + + + ^7.*$ + + + ^6.*$ + + + ^true|"true"$ + + + nosuid + + + noexec + + + nodev + + + noauto + + + ^(block|character) special$ + + + ^[^/] + + + ^[:\.] + + + + + + + + + ^(?i)yes(?-i)$ + + + ^(?i)hostname(?-i)$ + + + ^(?i)ENRICHED(?-i)$ + + + ^(?i)yes(?-i)$ + + + ^(?i)50(?-i)$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + true + true + + + symbolic link + + + ^0$|^never$ + + + + + + + + + + + + + + + x|\* + + + + + + symbolic link + + + + + + true + true + + + symbolic link + + + + + + + + + + + + + + + + + + + + + \nauth[\s]+required[\s]+pam_env.so + \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] + login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid + \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] + pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n + + + + + \nauth[\s]+required[\s]+pam_env.so + \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] + pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.* + \npassword[\s]+required[\s]+pam_pkcs11.so\n + + + + + \nauth[\s]+required[\s]+pam_env.so + \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] + login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid + \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] + pam_pkcs11.so[\s]nodebug\n + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + + ^[\s]* + + [\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + + + + + / + + + + + + + / + + + + + + + 64 + + + + 8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 64 + + + + 8 + + + + + + + + + 64 + + + + 8 + + + + + + + + + 64 + + + + 8 + + + + + + + + + + + + + + + + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES) + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + (?:[^.]|\.\s)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + ^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $\n(^(?! + + | + + ).*$\n)*^ + + $ + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + 64 + + + + 8 + + + + + + + + + + + + + + + + pam_unix(?:.*[\n](?:.*[\n]){ + + })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) + + + + + ^[^#]*pam_unix(?:.*[\n](?:.*[\n]){ + + })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EPERM) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + + + (?:-F\s+exit=-EACCES) + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*RekeyLimit[\s]+ + + [\s]+ + + [\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 11 + 12 + 14 + 65534 + 999 + 192 + 193 + 81 + 59 + 107 + 998 + 997 + 172 + 171 + 996 + 70 + 995 + 994 + 993 + 113 + 987 + 986 + 985 + 75 + 32 + 48 + 984 + 29 + 983 + 982 + 173 + 981 + 980 + 42 + 979 + 74 + 978 + 72 + 1000 + 977 + 976 + 975 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + 4 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5 + + + 5 + + + + + + + 3 + + + 3 + + + 900 + + + + 900 + + + 900 + + + 3 + + + 3 + + + 900 + + + 3 + + + 3 + + + 0 + + + + /usr/sbin + /usr/bin + /sbin + /bin + /root/bin + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + 114 + + + + 0 + 114 + + + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/share/code/chrome-sandbox + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/snapd/snap/core/10583/bin/su + /usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /usr/bin/fusermount + /usr/bin/sudo + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/write + /usr/bin/staprun + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/pkexec + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /usr/bin/chsh + /usr/bin/passwd + /usr/bin/fusermount-glusterfs + /usr/bin/chage + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/at + /usr/bin/mount + /usr/bin/vmware-user-suid-wrapper + /usr/bin/locate + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/sbin/grub2-set-bootflag + /usr/libexec/snapd/snap-confine + /usr/libexec/openssh/ssh-keysign + /opt/google/chrome/chrome-sandbox + /usr/libexec/utempter/utempter + /usr/sbin/userhelper + /usr/sbin/mount.nfs + /usr/sbin/lockdev + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/Xorg.wrap + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/sbin/unix_chkpwd + + + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/share/code/chrome-sandbox + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/snapd/snap/core/10583/bin/su + /usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /usr/bin/fusermount + /usr/bin/sudo + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/write + /usr/bin/staprun + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/pkexec + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /usr/bin/chsh + /usr/bin/passwd + /usr/bin/fusermount-glusterfs + /usr/bin/chage + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/at + /usr/bin/mount + /usr/bin/vmware-user-suid-wrapper + /usr/bin/locate + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/sbin/grub2-set-bootflag + /usr/libexec/snapd/snap-confine + /usr/libexec/openssh/ssh-keysign + /opt/google/chrome/chrome-sandbox + /usr/libexec/utempter/utempter + /usr/sbin/userhelper + /usr/sbin/mount.nfs + /usr/sbin/lockdev + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/Xorg.wrap + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/sbin/unix_chkpwd + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + logcollector + + + + + + + + + single + + + + single + + + + root + + + + single + + + + data + + + + 6 + + + + rotate + + + + 5 + + + + email + + + + + + + + + + + + + + + + + + + + + + + + + ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + + + + ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + 10 + + + + + + + + + + + + + + + + + + + + + FIPS + + + + FIPS + + + + /usr/share/crypto-policies/DEFAULT/krb5.txt + + + + /usr/share/crypto-policies/DEFAULT/krb5.txt + /usr/share/crypto-policies/DEFAULT/krb5.txt + + + + + default + + + + + + + + + + + + + + + + + + + + + + + + + + + 1629101700 + 1574949854 + + + + + + + + + + + + + 703575 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 35 + + + + + + + SHA512 + SHA512 + + + + 51 + 51 + + + 600 + + + 600 + + + + + enforcing + + + + + 7 + 2 + 0 + 23 + 027 + + + + 18 + 022 + 2 + 2 + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /usr/bin/locate + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/sbin/lockdev + /usr/libexec/utempter/utempter + /usr/bin/write + /usr/libexec/openssh/ssh-keysign + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /usr/bin/write + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /usr/bin/locate + /usr/libexec/openssh/ssh-keysign + /usr/libexec/utempter/utempter + /usr/sbin/lockdev + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/bin/su + /usr/bin/fusermount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /usr/bin/crontab + /usr/bin/chsh + /usr/bin/at + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/fusermount-glusterfs + /usr/bin/sudo + /usr/bin/staprun + /usr/bin/mount + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/bin/passwd + /usr/share/code/chrome-sandbox + /usr/bin/newgrp + /usr/sbin/mount.nfs + /usr/sbin/userhelper + /usr/libexec/snapd/snap-confine + /usr/bin/vmware-user-suid-wrapper + /usr/bin/chage + /usr/bin/pkexec + /opt/google/chrome/chrome-sandbox + /usr/sbin/grub2-set-bootflag + /usr/libexec/Xorg.wrap + /usr/sbin/mount.nfs + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/sbin/unix_chkpwd + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/share/code/chrome-sandbox + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/snapd/snap/core/10583/bin/su + /usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /usr/bin/fusermount + /usr/bin/sudo + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/staprun + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/pkexec + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /usr/bin/chsh + /usr/bin/passwd + /usr/bin/fusermount-glusterfs + /usr/bin/chage + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/at + /usr/bin/mount + /usr/bin/vmware-user-suid-wrapper + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/sbin/grub2-set-bootflag + /usr/libexec/snapd/snap-confine + /opt/google/chrome/chrome-sandbox + /usr/sbin/userhelper + /usr/sbin/mount.nfs + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/Xorg.wrap + /usr/sbin/unix_chkpwd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 15 + 18 + 19 + 20 + 33 + 39 + 50 + 54 + 63 + 100 + 65534 + 22 + 35 + 999 + 36 + 998 + 190 + 997 + 192 + 193 + 81 + 59 + 40 + 107 + 996 + 995 + 994 + 172 + 993 + 992 + 171 + 991 + 70 + 990 + 989 + 988 + 113 + 987 + 986 + 76 + 75 + 32 + 985 + 48 + 984 + 29 + 983 + 982 + 981 + 173 + 980 + 979 + 978 + 42 + 977 + 74 + 976 + 21 + 72 + 1000 + 156 + 157 + 158 + 135 + 975 + 974 + 973 + 972 + 971 + 970 + 969 + 968 + 967 + 966 + + + + + + + + + + + + default + + + + + + + ^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 15 + 18 + 19 + 20 + 33 + 39 + 50 + 54 + 63 + 100 + 65534 + 22 + 35 + 999 + 36 + 998 + 190 + 997 + 192 + 193 + 81 + 59 + 40 + 107 + 996 + 995 + 994 + 172 + 993 + 992 + 171 + 991 + 70 + 990 + 989 + 988 + 113 + 987 + 986 + 76 + 75 + 32 + 985 + 48 + 984 + 29 + 983 + 982 + 981 + 173 + 980 + 979 + 978 + 42 + 977 + 74 + 976 + 21 + 72 + 1000 + 156 + 157 + 158 + 135 + 975 + 974 + 973 + 972 + 971 + 970 + 969 + 968 + 967 + 966 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + + + + + + + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + + + + + + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + + + + + + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + + + + + 10 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 60 + 99999 + + + + 7 + 0 + + + 15 + + + + 7 + 7 + + + + 5000 + 5000 + + + + 5000 + + + + + + -1 + + + 8 + + + -1 + + + 4 + + + 3 + + + 3 + + + 12 + + + -1 + + + 3 + + + -1 + + + + + + + + + + + + + + + + + + + + + + system.administrator@mail.mil + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/cdrom + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + + + + + + + + 900 + + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/video2 + /dev/vcs4 + /dev/ttyS12 + /dev/ttyS11 + /dev/ttyS10 + /dev/ttyS9 + /dev/ttyS8 + /dev/udmabuf + /dev/tpmrm0 + /dev/tpm0 + /dev/ttyS7 + /dev/ttyS6 + /dev/ttyS5 + /dev/ttyS4 + /dev/ttyS3 + /dev/usbmon6 + /dev/usbmon5 + /dev/usbmon4 + /dev/usbmon3 + /dev/lp2 + /dev/lp1 + /dev/hidraw2 + /dev/ttyS2 + /dev/ttyS1 + /dev/ttyS0 + /dev/ptmx + /dev/autofs + /dev/snapshot + /dev/tty52 + /dev/tty51 + /dev/tty50 + /dev/tty49 + /dev/tty48 + /dev/tty47 + /dev/usbmon2 + /dev/bus/usb/001/002 + /dev/usbmon0 + /dev/ppp + /dev/cuse + /dev/lp3 + /dev/tty63 + /dev/tty62 + /dev/tty61 + /dev/tty60 + /dev/tty59 + /dev/media0 + /dev/snd/pcmC0D0c + /dev/loop3 + /dev/vhost-net + /dev/vhci + /dev/vcsu2 + /dev/ttyS17 + /dev/ttyS16 + /dev/ttyS15 + /dev/ttyS14 + /dev/ttyS13 + /dev/vcs3 + /dev/hidraw0 + /dev/rfkill + /dev/loop0 + /dev/vcsa3 + /dev/vcsa4 + /dev/dm-0 + /dev/hidraw4 + /dev/fb0 + /dev/drm_dp_aux2 + /dev/ttyS31 + /dev/ttyS30 + /dev/ttyS29 + /dev/ttyS28 + /dev/tty46 + /dev/tty45 + /dev/tty44 + /dev/tty43 + /dev/tty42 + /dev/tty41 + /dev/loop2 + /dev/vcsu4 + /dev/tty40 + /dev/tty39 + /dev/tty38 + /dev/tty37 + /dev/tty36 + /dev/tty35 + /dev/vcsu3 + /dev/lp0 + /dev/video1 + /dev/video0 + /dev/media1 + /dev/drm_dp_aux1 + /dev/drm_dp_aux0 + /dev/tty58 + /dev/tty57 + /dev/tty56 + /dev/tty55 + /dev/tty54 + /dev/tty53 + /dev/watchdog0 + /dev/vcs2 + /dev/tty10 + /dev/tty9 + /dev/tty8 + /dev/tty7 + /dev/tty6 + /dev/tty5 + /dev/vcsa5 + /dev/vcsu5 + /dev/urandom + /dev/random + /dev/full + /dev/zero + /dev/port + /dev/null + /dev/mem + /dev/tty34 + /dev/tty33 + /dev/tty32 + /dev/tty31 + /dev/tty30 + /dev/tty29 + /dev/drm_dp_aux4 + /dev/drm_dp_aux3 + /dev/uhid + /dev/loop-control + /dev/fuse + /dev/nvme0n1p2 + /dev/nvme0n1p1 + /dev/tty16 + /dev/tty15 + /dev/tty14 + /dev/tty13 + /dev/tty12 + /dev/tty11 + /dev/tty22 + /dev/tty21 + /dev/tty20 + /dev/tty19 + /dev/tty18 + /dev/tty17 + /dev/ttyS27 + /dev/ttyS26 + /dev/ttyS25 + /dev/ttyS24 + /dev/ttyS23 + /dev/vcs5 + /dev/watchdog + /dev/nvme0n1 + /dev/input/event22 + /dev/gpiochip0 + /dev/uinput + /dev/tty4 + /dev/tty3 + /dev/tty2 + /dev/tty1 + /dev/vcsa1 + /dev/vcsu1 + /dev/vcs1 + /dev/vga_arbiter + /dev/vcs6 + /dev/ttyS22 + /dev/ttyS21 + /dev/ttyS20 + /dev/ttyS19 + /dev/ttyS18 + /dev/vcsa2 + /dev/vcsa + /dev/vcsu + /dev/vcs + /dev/tty0 + /dev/console + /dev/tty + /dev/kmsg + /dev/video3 + /dev/tty28 + /dev/tty27 + /dev/tty26 + /dev/tty25 + /dev/tty24 + /dev/tty23 + /dev/vcsu6 + /dev/drm_dp_aux5 + /dev/mei0 + /dev/vcsa6 + /dev/ptp0 + /dev/hidraw3 + /dev/rtc0 + /dev/input/event16 + /dev/usbmon7 + /dev/dm-2 + /dev/mcelog + /dev/dm-3 + /dev/acpi_thermal_rel + /dev/snd/controlC0 + /dev/snd/hwC0D2 + /dev/snd/hwC0D0 + /dev/snd/pcmC0D10p + /dev/snd/pcmC0D9p + /dev/snd/pcmC0D8p + /dev/snd/pcmC0D7p + /dev/snd/pcmC0D0p + /dev/snd/pcmC1D0c + /dev/snd/pcmC1D0p + /dev/snd/seq + /dev/snd/timer + /dev/vhost-vsock + /dev/snd/pcmC0D3p + /dev/vfio/vfio + /dev/snd/controlC1 + /dev/net/tun + /dev/usb/hiddev0 + /dev/zram0 + /dev/dm-1 + /dev/dri/card0 + /dev/dri/renderD128 + /dev/nvme0n1p3 + /dev/ng0n1 + /dev/nvme0 + /dev/hidraw1 + /dev/cpu_dma_latency + /dev/pts/0 + /dev/pts/1 + /dev/pts/ptmx + /dev/bus/usb/007/001 + /dev/btrfs-control + /dev/bus/usb/004/001 + /dev/mapper/control + /dev/input/mouse1 + /dev/input/event21 + /dev/input/mouse0 + /dev/input/event20 + /dev/input/event19 + /dev/input/event18 + /dev/input/event17 + /dev/input/event9 + /dev/input/event8 + /dev/input/event15 + /dev/input/event14 + /dev/input/event13 + /dev/input/event11 + /dev/input/event10 + /dev/input/mouse2 + /dev/input/event7 + /dev/input/event6 + /dev/input/event5 + /dev/input/event4 + /dev/input/event3 + /dev/input/event2 + /dev/input/event1 + /dev/input/event0 + /dev/input/mice + /dev/usbmon8 + /dev/bus/usb/008/001 + /dev/input/event12 + /dev/bus/usb/005/002 + /dev/bus/usb/002/001 + /dev/bus/usb/006/002 + /dev/bus/usb/006/001 + /dev/dma_heap/system + /dev/bus/usb/005/001 + /dev/raw/rawctl + /dev/bus/usb/003/004 + /dev/usbmon1 + /dev/bus/usb/003/003 + /dev/bus/usb/003/002 + /dev/bus/usb/003/001 + /dev/cpu/6/cpuid + /dev/bus/usb/001/001 + /dev/cpu/5/cpuid + /dev/cpu/4/cpuid + /dev/cpu/7/cpuid + /dev/cpu/7/msr + /dev/cpu/3/cpuid + /dev/cpu/6/msr + /dev/cpu/2/cpuid + /dev/cpu/5/msr + /dev/cpu/1/cpuid + /dev/cpu/4/msr + /dev/cpu/0/cpuid + /dev/cpu/3/msr + /dev/cpu/2/msr + /dev/cpu/1/msr + /dev/cpu/0/msr + /dev/kvm + /dev/loop1 + /dev/hwrng + /dev/nvram + /dev/hpet + + + /dev/video2 + /dev/vcs4 + /dev/ttyS12 + /dev/ttyS11 + /dev/ttyS10 + /dev/ttyS9 + /dev/ttyS8 + /dev/udmabuf + /dev/tpmrm0 + /dev/tpm0 + /dev/ttyS7 + /dev/ttyS6 + /dev/ttyS5 + /dev/ttyS4 + /dev/ttyS3 + /dev/usbmon6 + /dev/usbmon5 + /dev/usbmon4 + /dev/usbmon3 + /dev/lp2 + /dev/lp1 + /dev/hidraw2 + /dev/ttyS2 + /dev/ttyS1 + /dev/ttyS0 + /dev/ptmx + /dev/autofs + /dev/snapshot + /dev/tty52 + /dev/tty51 + /dev/tty50 + /dev/tty49 + /dev/tty48 + /dev/tty47 + /dev/usbmon2 + /dev/bus/usb/001/002 + /dev/usbmon0 + /dev/ppp + /dev/cuse + /dev/lp3 + /dev/tty63 + /dev/tty62 + /dev/tty61 + /dev/tty60 + /dev/tty59 + /dev/media0 + /dev/snd/pcmC0D0c + /dev/loop3 + /dev/vhost-net + /dev/vhci + /dev/vcsu2 + /dev/ttyS17 + /dev/ttyS16 + /dev/ttyS15 + /dev/ttyS14 + /dev/ttyS13 + /dev/vcs3 + /dev/hidraw0 + /dev/rfkill + /dev/loop0 + /dev/vcsa3 + /dev/vcsa4 + /dev/dm-0 + /dev/hidraw4 + /dev/fb0 + /dev/drm_dp_aux2 + /dev/ttyS31 + /dev/ttyS30 + /dev/ttyS29 + /dev/ttyS28 + /dev/tty46 + /dev/tty45 + /dev/tty44 + /dev/tty43 + /dev/tty42 + /dev/tty41 + /dev/loop2 + /dev/vcsu4 + /dev/tty40 + /dev/tty39 + /dev/tty38 + /dev/tty37 + /dev/tty36 + /dev/tty35 + /dev/vcsu3 + /dev/lp0 + /dev/video1 + /dev/video0 + /dev/media1 + /dev/drm_dp_aux1 + /dev/drm_dp_aux0 + /dev/tty58 + /dev/tty57 + /dev/tty56 + /dev/tty55 + /dev/tty54 + /dev/tty53 + /dev/watchdog0 + /dev/vcs2 + /dev/tty10 + /dev/tty9 + /dev/tty8 + /dev/tty7 + /dev/tty6 + /dev/tty5 + /dev/vcsa5 + /dev/vcsu5 + /dev/urandom + /dev/random + /dev/full + /dev/zero + /dev/port + /dev/null + /dev/mem + /dev/tty34 + /dev/tty33 + /dev/tty32 + /dev/tty31 + /dev/tty30 + /dev/tty29 + /dev/drm_dp_aux4 + /dev/drm_dp_aux3 + /dev/uhid + /dev/loop-control + /dev/fuse + /dev/nvme0n1p2 + /dev/nvme0n1p1 + /dev/tty16 + /dev/tty15 + /dev/tty14 + /dev/tty13 + /dev/tty12 + /dev/tty11 + /dev/tty22 + /dev/tty21 + /dev/tty20 + /dev/tty19 + /dev/tty18 + /dev/tty17 + /dev/ttyS27 + /dev/ttyS26 + /dev/ttyS25 + /dev/ttyS24 + /dev/ttyS23 + /dev/vcs5 + /dev/watchdog + /dev/nvme0n1 + /dev/input/event22 + /dev/gpiochip0 + /dev/uinput + /dev/tty4 + /dev/tty3 + /dev/tty2 + /dev/tty1 + /dev/vcsa1 + /dev/vcsu1 + /dev/vcs1 + /dev/vga_arbiter + /dev/vcs6 + /dev/ttyS22 + /dev/ttyS21 + /dev/ttyS20 + /dev/ttyS19 + /dev/ttyS18 + /dev/vcsa2 + /dev/vcsa + /dev/vcsu + /dev/vcs + /dev/tty0 + /dev/console + /dev/tty + /dev/kmsg + /dev/video3 + /dev/tty28 + /dev/tty27 + /dev/tty26 + /dev/tty25 + /dev/tty24 + /dev/tty23 + /dev/vcsu6 + /dev/drm_dp_aux5 + /dev/mei0 + /dev/vcsa6 + /dev/ptp0 + /dev/hidraw3 + /dev/rtc0 + /dev/input/event16 + /dev/usbmon7 + /dev/dm-2 + /dev/mcelog + /dev/dm-3 + /dev/acpi_thermal_rel + /dev/snd/controlC0 + /dev/snd/hwC0D2 + /dev/snd/hwC0D0 + /dev/snd/pcmC0D10p + /dev/snd/pcmC0D9p + /dev/snd/pcmC0D8p + /dev/snd/pcmC0D7p + /dev/snd/pcmC0D0p + /dev/snd/pcmC1D0c + /dev/snd/pcmC1D0p + /dev/snd/seq + /dev/snd/timer + /dev/vhost-vsock + /dev/snd/pcmC0D3p + /dev/vfio/vfio + /dev/snd/controlC1 + /dev/net/tun + /dev/usb/hiddev0 + /dev/zram0 + /dev/dm-1 + /dev/dri/card0 + /dev/dri/renderD128 + /dev/nvme0n1p3 + /dev/ng0n1 + /dev/nvme0 + /dev/hidraw1 + /dev/cpu_dma_latency + /dev/pts/0 + /dev/pts/1 + /dev/pts/ptmx + /dev/bus/usb/007/001 + /dev/btrfs-control + /dev/bus/usb/004/001 + /dev/mapper/control + /dev/input/mouse1 + /dev/input/event21 + /dev/input/mouse0 + /dev/input/event20 + /dev/input/event19 + /dev/input/event18 + /dev/input/event17 + /dev/input/event9 + /dev/input/event8 + /dev/input/event15 + /dev/input/event14 + /dev/input/event13 + /dev/input/event11 + /dev/input/event10 + /dev/input/mouse2 + /dev/input/event7 + /dev/input/event6 + /dev/input/event5 + /dev/input/event4 + /dev/input/event3 + /dev/input/event2 + /dev/input/event1 + /dev/input/event0 + /dev/input/mice + /dev/usbmon8 + /dev/bus/usb/008/001 + /dev/input/event12 + /dev/bus/usb/005/002 + /dev/bus/usb/002/001 + /dev/bus/usb/006/002 + /dev/bus/usb/006/001 + /dev/dma_heap/system + /dev/bus/usb/005/001 + /dev/raw/rawctl + /dev/bus/usb/003/004 + /dev/usbmon1 + /dev/bus/usb/003/003 + /dev/bus/usb/003/002 + /dev/bus/usb/003/001 + /dev/cpu/6/cpuid + /dev/bus/usb/001/001 + /dev/cpu/5/cpuid + /dev/cpu/4/cpuid + /dev/cpu/7/cpuid + /dev/cpu/7/msr + /dev/cpu/3/cpuid + /dev/cpu/6/msr + /dev/cpu/2/cpuid + /dev/cpu/5/msr + /dev/cpu/1/cpuid + /dev/cpu/4/msr + /dev/cpu/0/cpuid + /dev/cpu/3/msr + /dev/cpu/2/msr + /dev/cpu/1/msr + /dev/cpu/0/msr + /dev/kvm + /dev/loop1 + /dev/hwrng + /dev/nvram + /dev/hpet + + + + + + + targeted + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1000 + + + + 201 + 999 + + + + 201 + + + + + + + + + + + + + + + + + \nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug\n + + + \nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.*\npassword[\s]+required[\s]+pam_pkcs11.so\n + + + \nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n + + + + + + + 0 + + + no + + + + + + + + + + + + + + + + + + + + + + + + + + + 300 + + + 4 + + + 10 + + + + 0 + + + + + 1h + 512M + ^[\s]*RekeyLimit[\s]+512M[\s]+1h[\s]*$ + + + + 0 + + + + 0 + + + + + + + + sandbox + + + + + + + 300 + + + + + 180 + + + + + + + + + + + + + + + + + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 1 + + + 1 + + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + + + + + + + + + + + + + + + + + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 1 + + + 1 + + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + + + + + + + + + + + + + + + + + + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 1 + + + 1 + + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + 0 + + + 1 + + + 1 + + + 0 + + + + 0 + + + + 0 + + + 1 + + + + 1 + + + 0 + + + + 1 + + + 1 + + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + + 1 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 0 + + + 1 + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + 0 + + + + 1 + + + + 1 + + + + 0 + + + + + + + 0 + + + + 0 + + + + 1 + + + + 1 + + + + 0 + + + + + + + 1 + + + + 1 + + + + + + + + + + 1 + + + + 0 + + + + 0 + + + + 0 + + + + 0 + + + + + + + 1 + + + + 0 + + + + 0 + + + + 0 + + + + 0 + + + + 0 + + + + 0 + + + + 0 + + + + 1 + + + + 0 + + + + + + + + + + 5000 + 5000 + + + + 5000 + + + + FIPS + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + + + + + + + + + + /dev/cdrom + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 7 + 2 + 0 + 23 + 027 + 2 + 2 + 0 + 18 + + + 7 + 2 + 0 + 23 + 027 + + + + 18 + 022 + 2 + 2 + 0 + 2 + 2 + 0 + 18 + + + + + cpe:/a:open-scap:oscap + ssg: [0, 1, 56], python: 3.9.5 + 5.11 + 2021-08-16T15:11:58 + + + Fedora + 34 (Workstation Edition) + x86_64 + rh-hony + + + lo + 127.0.0.1 + 00:00:00:00:00:00 + + + enp9s0u1 + 10.43.21.233 + 00:50:B6:8E:49:DA + + + wlp0s20f3 + 10.200.153.45 + 74:D8:3E:1A:0C:3E + + + virbr0 + 192.168.122.1 + 52:54:00:E8:16:C5 + + + lo + ::1 + 00:00:00:00:00:00 + + + enp9s0u1 + 2620:52:0:2b15:76a6:117d:1d6:7579 + 00:50:B6:8E:49:DA + + + enp9s0u1 + fe80::648:e757:55c:e02e + 00:50:B6:8E:49:DA + + + wlp0s20f3 + fe80::3bc2:6468:e470:d804 + 74:D8:3E:1A:0C:3E + + + tap0 + fe80::fc21:e6ff:feca:b1f9 + FE:21:E6:CA:B1:F9 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 11 + 12 + 14 + 65534 + 999 + 192 + 193 + 81 + 59 + 107 + 998 + 997 + 172 + 171 + 996 + 70 + 995 + 994 + 993 + 113 + 987 + 986 + 985 + 75 + 32 + 48 + 984 + 29 + 983 + 982 + 173 + 981 + 980 + 42 + 979 + 74 + 978 + 72 + 1000 + 977 + 976 + 975 + + + + + + + + + + + + + 2 + 2 + 0 + 18 + + + + Referenced variable has no values (oval:ssg-var_etc_profile_umask_as_number:var:1). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /usr/bin/locate + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/sbin/lockdev + /usr/libexec/utempter/utempter + /usr/bin/write + /usr/libexec/openssh/ssh-keysign + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /usr/bin/write + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /usr/bin/locate + /usr/libexec/openssh/ssh-keysign + /usr/libexec/utempter/utempter + /usr/sbin/lockdev + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/bin/su + /usr/bin/fusermount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /usr/bin/crontab + /usr/bin/chsh + /usr/bin/at + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/fusermount-glusterfs + /usr/bin/sudo + /usr/bin/staprun + /usr/bin/mount + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/bin/passwd + /usr/share/code/chrome-sandbox + /usr/bin/newgrp + /usr/sbin/mount.nfs + /usr/sbin/userhelper + /usr/libexec/snapd/snap-confine + /usr/bin/vmware-user-suid-wrapper + /usr/bin/chage + /usr/bin/pkexec + /opt/google/chrome/chrome-sandbox + /usr/sbin/grub2-set-bootflag + /usr/libexec/Xorg.wrap + /usr/sbin/mount.nfs + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/sbin/unix_chkpwd + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/share/code/chrome-sandbox + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/snapd/snap/core/10583/bin/su + /usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /usr/bin/fusermount + /usr/bin/sudo + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/staprun + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/pkexec + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /usr/bin/chsh + /usr/bin/passwd + /usr/bin/fusermount-glusterfs + /usr/bin/chage + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/at + /usr/bin/mount + /usr/bin/vmware-user-suid-wrapper + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/sbin/grub2-set-bootflag + /usr/libexec/snapd/snap-confine + /opt/google/chrome/chrome-sandbox + /usr/sbin/userhelper + /usr/sbin/mount.nfs + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/Xorg.wrap + /usr/sbin/unix_chkpwd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 1h + 512M + ^[\s]*RekeyLimit[\s]+512M[\s]+1h[\s]*$ + + + + + + + + + + + + + + + + + FIPS + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 2 + 2 + 0 + 18 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin + + + Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin + + + /usr/sbin + /usr/bin + /sbin + /bin + /root/bin + + + Can't find process with requested PID. + + + + + Referenced variable has no values (oval:ssg-variable_aide_build_new_database_absolute_path:var:1). + + + + + Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1) + + + + + + + + + + + + + + + + + + + + + + + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/share/code/chrome-sandbox + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/snapd/snap/core/10583/bin/su + /usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /usr/bin/fusermount + /usr/bin/sudo + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/write + /usr/bin/staprun + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/pkexec + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /usr/bin/chsh + /usr/bin/passwd + /usr/bin/fusermount-glusterfs + /usr/bin/chage + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/at + /usr/bin/mount + /usr/bin/vmware-user-suid-wrapper + /usr/bin/locate + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/sbin/grub2-set-bootflag + /usr/libexec/snapd/snap-confine + /usr/libexec/openssh/ssh-keysign + /opt/google/chrome/chrome-sandbox + /usr/libexec/utempter/utempter + /usr/sbin/userhelper + /usr/sbin/mount.nfs + /usr/sbin/lockdev + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/Xorg.wrap + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/sbin/unix_chkpwd + + + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/share/code/chrome-sandbox + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/snapd/snap/core/10583/bin/su + /usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /usr/bin/chfn + /usr/bin/umount + /usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /usr/bin/fusermount + /usr/bin/sudo + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /usr/bin/write + /usr/bin/staprun + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/bin/pkexec + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /usr/bin/chsh + /usr/bin/passwd + /usr/bin/fusermount-glusterfs + /usr/bin/chage + /usr/bin/fusermount3 + /usr/bin/ksu + /usr/bin/at + /usr/bin/mount + /usr/bin/vmware-user-suid-wrapper + /usr/bin/locate + /usr/libexec/qemu-bridge-helper + /usr/sbin/pam_timestamp_check + /usr/sbin/grub2-set-bootflag + /usr/libexec/snapd/snap-confine + /usr/libexec/openssh/ssh-keysign + /opt/google/chrome/chrome-sandbox + /usr/libexec/utempter/utempter + /usr/sbin/userhelper + /usr/sbin/mount.nfs + /usr/sbin/lockdev + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/Xorg.wrap + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/sbin/unix_chkpwd + + + + + + + + + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_aug + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_e + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_auge + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_aug + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_e + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_auge + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:v + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:va + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex: + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1) + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:va + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex: + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+a1&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_reg + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex: + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_rege + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var: + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_reg + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex: + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + Referenced variable has no values (oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_rege + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&0100)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+a2&01003)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+ + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 51 + + + + 114 + + + + + 1574949854 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 + 11 + 12 + 15 + 18 + 19 + 20 + 33 + 39 + 50 + 54 + 63 + 100 + 65534 + 22 + 35 + 999 + 36 + 998 + 190 + 997 + 192 + 193 + 81 + 59 + 40 + 107 + 996 + 995 + 994 + 172 + 993 + 992 + 171 + 991 + 70 + 990 + 989 + 988 + 113 + 987 + 986 + 76 + 75 + 32 + 985 + 48 + 984 + 29 + 983 + 982 + 981 + 173 + 980 + 979 + 978 + 42 + 977 + 74 + 976 + 21 + 72 + 1000 + 156 + 157 + 158 + 135 + 975 + 974 + 973 + 972 + 971 + 970 + 969 + 968 + 967 + 966 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SHA512 + + + + + + + 99999 + + + + + + + 0 + + + + + Referenced variable has no values (oval:ssg-variable_last_pass_min_len_instance_value:var:1). + + + + + + 7 + + + + + + + + + + + + + 703575 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + + + + + + + + + + + + + + + + + + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + + + + + + + + + + + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/dvd[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/scd0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + ^[\s]*/dev/sr0[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + /dev/dvd + /dev/scd0 + /dev/sr0 + + + ^[\s]*/dev/cdrom[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$ + /dev/cdrom + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5000 + + + + + + + + + + + + + + + /dev/cdrom + + + + + + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + + Can't find process with requested PID. + + + + Referenced variable has no values (oval:ssg-var_rfg_log_files_paths:var:1). + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + Referenced variable has no values (oval:ssg-var_rfo_log_files_paths:var:1). + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + Referenced variable has no values (oval:ssg-var_rfp_log_files_paths:var:1). + ^/etc/rsyslog.conf$ + ^/etc/rsyslog.conf$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /dev/video2 + /dev/vcs4 + /dev/ttyS12 + /dev/ttyS11 + /dev/ttyS10 + /dev/ttyS9 + /dev/ttyS8 + /dev/udmabuf + /dev/tpmrm0 + /dev/tpm0 + /dev/ttyS7 + /dev/ttyS6 + /dev/ttyS5 + /dev/ttyS4 + /dev/ttyS3 + /dev/usbmon6 + /dev/usbmon5 + /dev/usbmon4 + /dev/usbmon3 + /dev/lp2 + /dev/lp1 + /dev/hidraw2 + /dev/ttyS2 + /dev/ttyS1 + /dev/ttyS0 + /dev/ptmx + /dev/autofs + /dev/snapshot + /dev/tty52 + /dev/tty51 + /dev/tty50 + /dev/tty49 + /dev/tty48 + /dev/tty47 + /dev/usbmon2 + /dev/bus/usb/001/002 + /dev/usbmon0 + /dev/ppp + /dev/cuse + /dev/lp3 + /dev/tty63 + /dev/tty62 + /dev/tty61 + /dev/tty60 + /dev/tty59 + /dev/media0 + /dev/snd/pcmC0D0c + /dev/loop3 + /dev/vhost-net + /dev/vhci + /dev/vcsu2 + /dev/ttyS17 + /dev/ttyS16 + /dev/ttyS15 + /dev/ttyS14 + /dev/ttyS13 + /dev/vcs3 + /dev/hidraw0 + /dev/rfkill + /dev/loop0 + /dev/vcsa3 + /dev/vcsa4 + /dev/dm-0 + /dev/hidraw4 + /dev/fb0 + /dev/drm_dp_aux2 + /dev/ttyS31 + /dev/ttyS30 + /dev/ttyS29 + /dev/ttyS28 + /dev/tty46 + /dev/tty45 + /dev/tty44 + /dev/tty43 + /dev/tty42 + /dev/tty41 + /dev/loop2 + /dev/vcsu4 + /dev/tty40 + /dev/tty39 + /dev/tty38 + /dev/tty37 + /dev/tty36 + /dev/tty35 + /dev/vcsu3 + /dev/lp0 + /dev/video1 + /dev/video0 + /dev/media1 + /dev/drm_dp_aux1 + /dev/drm_dp_aux0 + /dev/tty58 + /dev/tty57 + /dev/tty56 + /dev/tty55 + /dev/tty54 + /dev/tty53 + /dev/watchdog0 + /dev/vcs2 + /dev/tty10 + /dev/tty9 + /dev/tty8 + /dev/tty7 + /dev/tty6 + /dev/tty5 + /dev/vcsa5 + /dev/vcsu5 + /dev/urandom + /dev/random + /dev/full + /dev/zero + /dev/port + /dev/null + /dev/mem + /dev/tty34 + /dev/tty33 + /dev/tty32 + /dev/tty31 + /dev/tty30 + /dev/tty29 + /dev/drm_dp_aux4 + /dev/drm_dp_aux3 + /dev/uhid + /dev/loop-control + /dev/fuse + /dev/nvme0n1p2 + /dev/nvme0n1p1 + /dev/tty16 + /dev/tty15 + /dev/tty14 + /dev/tty13 + /dev/tty12 + /dev/tty11 + /dev/tty22 + /dev/tty21 + /dev/tty20 + /dev/tty19 + /dev/tty18 + /dev/tty17 + /dev/ttyS27 + /dev/ttyS26 + /dev/ttyS25 + /dev/ttyS24 + /dev/ttyS23 + /dev/vcs5 + /dev/watchdog + /dev/nvme0n1 + /dev/input/event22 + /dev/gpiochip0 + /dev/uinput + /dev/tty4 + /dev/tty3 + /dev/tty2 + /dev/tty1 + /dev/vcsa1 + /dev/vcsu1 + /dev/vcs1 + /dev/vga_arbiter + /dev/vcs6 + /dev/ttyS22 + /dev/ttyS21 + /dev/ttyS20 + /dev/ttyS19 + /dev/ttyS18 + /dev/vcsa2 + /dev/vcsa + /dev/vcsu + /dev/vcs + /dev/tty0 + /dev/console + /dev/tty + /dev/kmsg + /dev/video3 + /dev/tty28 + /dev/tty27 + /dev/tty26 + /dev/tty25 + /dev/tty24 + /dev/tty23 + /dev/vcsu6 + /dev/drm_dp_aux5 + /dev/mei0 + /dev/vcsa6 + /dev/ptp0 + /dev/hidraw3 + /dev/rtc0 + /dev/input/event16 + /dev/usbmon7 + /dev/dm-2 + /dev/mcelog + /dev/dm-3 + /dev/acpi_thermal_rel + /dev/snd/controlC0 + /dev/snd/hwC0D2 + /dev/snd/hwC0D0 + /dev/snd/pcmC0D10p + /dev/snd/pcmC0D9p + /dev/snd/pcmC0D8p + /dev/snd/pcmC0D7p + /dev/snd/pcmC0D0p + /dev/snd/pcmC1D0c + /dev/snd/pcmC1D0p + /dev/snd/seq + /dev/snd/timer + /dev/vhost-vsock + /dev/snd/pcmC0D3p + /dev/vfio/vfio + /dev/snd/controlC1 + /dev/net/tun + /dev/usb/hiddev0 + /dev/zram0 + /dev/dm-1 + /dev/dri/card0 + /dev/dri/renderD128 + /dev/nvme0n1p3 + /dev/ng0n1 + /dev/nvme0 + /dev/hidraw1 + /dev/cpu_dma_latency + /dev/pts/0 + /dev/pts/1 + /dev/pts/ptmx + /dev/bus/usb/007/001 + /dev/btrfs-control + /dev/bus/usb/004/001 + /dev/mapper/control + /dev/input/mouse1 + /dev/input/event21 + /dev/input/mouse0 + /dev/input/event20 + /dev/input/event19 + /dev/input/event18 + /dev/input/event17 + /dev/input/event9 + /dev/input/event8 + /dev/input/event15 + /dev/input/event14 + /dev/input/event13 + /dev/input/event11 + /dev/input/event10 + /dev/input/mouse2 + /dev/input/event7 + /dev/input/event6 + /dev/input/event5 + /dev/input/event4 + /dev/input/event3 + /dev/input/event2 + /dev/input/event1 + /dev/input/event0 + /dev/input/mice + /dev/usbmon8 + /dev/bus/usb/008/001 + /dev/input/event12 + /dev/bus/usb/005/002 + /dev/bus/usb/002/001 + /dev/bus/usb/006/002 + /dev/bus/usb/006/001 + /dev/dma_heap/system + /dev/bus/usb/005/001 + /dev/raw/rawctl + /dev/bus/usb/003/004 + /dev/usbmon1 + /dev/bus/usb/003/003 + /dev/bus/usb/003/002 + /dev/bus/usb/003/001 + /dev/cpu/6/cpuid + /dev/bus/usb/001/001 + /dev/cpu/5/cpuid + /dev/cpu/4/cpuid + /dev/cpu/7/cpuid + /dev/cpu/7/msr + /dev/cpu/3/cpuid + /dev/cpu/6/msr + /dev/cpu/2/cpuid + /dev/cpu/5/msr + /dev/cpu/1/cpuid + /dev/cpu/4/msr + /dev/cpu/0/cpuid + /dev/cpu/3/msr + /dev/cpu/2/msr + /dev/cpu/1/msr + /dev/cpu/0/msr + /dev/kvm + /dev/loop1 + /dev/hwrng + /dev/nvram + /dev/hpet + + + + /dev/video2 + /dev/vcs4 + /dev/ttyS12 + /dev/ttyS11 + /dev/ttyS10 + /dev/ttyS9 + /dev/ttyS8 + /dev/udmabuf + /dev/tpmrm0 + /dev/tpm0 + /dev/ttyS7 + /dev/ttyS6 + /dev/ttyS5 + /dev/ttyS4 + /dev/ttyS3 + /dev/usbmon6 + /dev/usbmon5 + /dev/usbmon4 + /dev/usbmon3 + /dev/lp2 + /dev/lp1 + /dev/hidraw2 + /dev/ttyS2 + /dev/ttyS1 + /dev/ttyS0 + /dev/ptmx + /dev/autofs + /dev/snapshot + /dev/tty52 + /dev/tty51 + /dev/tty50 + /dev/tty49 + /dev/tty48 + /dev/tty47 + /dev/usbmon2 + /dev/bus/usb/001/002 + /dev/usbmon0 + /dev/ppp + /dev/cuse + /dev/lp3 + /dev/tty63 + /dev/tty62 + /dev/tty61 + /dev/tty60 + /dev/tty59 + /dev/media0 + /dev/snd/pcmC0D0c + /dev/loop3 + /dev/vhost-net + /dev/vhci + /dev/vcsu2 + /dev/ttyS17 + /dev/ttyS16 + /dev/ttyS15 + /dev/ttyS14 + /dev/ttyS13 + /dev/vcs3 + /dev/hidraw0 + /dev/rfkill + /dev/loop0 + /dev/vcsa3 + /dev/vcsa4 + /dev/dm-0 + /dev/hidraw4 + /dev/fb0 + /dev/drm_dp_aux2 + /dev/ttyS31 + /dev/ttyS30 + /dev/ttyS29 + /dev/ttyS28 + /dev/tty46 + /dev/tty45 + /dev/tty44 + /dev/tty43 + /dev/tty42 + /dev/tty41 + /dev/loop2 + /dev/vcsu4 + /dev/tty40 + /dev/tty39 + /dev/tty38 + /dev/tty37 + /dev/tty36 + /dev/tty35 + /dev/vcsu3 + /dev/lp0 + /dev/video1 + /dev/video0 + /dev/media1 + /dev/drm_dp_aux1 + /dev/drm_dp_aux0 + /dev/tty58 + /dev/tty57 + /dev/tty56 + /dev/tty55 + /dev/tty54 + /dev/tty53 + /dev/watchdog0 + /dev/vcs2 + /dev/tty10 + /dev/tty9 + /dev/tty8 + /dev/tty7 + /dev/tty6 + /dev/tty5 + /dev/vcsa5 + /dev/vcsu5 + /dev/urandom + /dev/random + /dev/full + /dev/zero + /dev/port + /dev/null + /dev/mem + /dev/tty34 + /dev/tty33 + /dev/tty32 + /dev/tty31 + /dev/tty30 + /dev/tty29 + /dev/drm_dp_aux4 + /dev/drm_dp_aux3 + /dev/uhid + /dev/loop-control + /dev/fuse + /dev/nvme0n1p2 + /dev/nvme0n1p1 + /dev/tty16 + /dev/tty15 + /dev/tty14 + /dev/tty13 + /dev/tty12 + /dev/tty11 + /dev/tty22 + /dev/tty21 + /dev/tty20 + /dev/tty19 + /dev/tty18 + /dev/tty17 + /dev/ttyS27 + /dev/ttyS26 + /dev/ttyS25 + /dev/ttyS24 + /dev/ttyS23 + /dev/vcs5 + /dev/watchdog + /dev/nvme0n1 + /dev/input/event22 + /dev/gpiochip0 + /dev/uinput + /dev/tty4 + /dev/tty3 + /dev/tty2 + /dev/tty1 + /dev/vcsa1 + /dev/vcsu1 + /dev/vcs1 + /dev/vga_arbiter + /dev/vcs6 + /dev/ttyS22 + /dev/ttyS21 + /dev/ttyS20 + /dev/ttyS19 + /dev/ttyS18 + /dev/vcsa2 + /dev/vcsa + /dev/vcsu + /dev/vcs + /dev/tty0 + /dev/console + /dev/tty + /dev/kmsg + /dev/video3 + /dev/tty28 + /dev/tty27 + /dev/tty26 + /dev/tty25 + /dev/tty24 + /dev/tty23 + /dev/vcsu6 + /dev/drm_dp_aux5 + /dev/mei0 + /dev/vcsa6 + /dev/ptp0 + /dev/hidraw3 + /dev/rtc0 + /dev/input/event16 + /dev/usbmon7 + /dev/dm-2 + /dev/mcelog + /dev/dm-3 + /dev/acpi_thermal_rel + /dev/snd/controlC0 + /dev/snd/hwC0D2 + /dev/snd/hwC0D0 + /dev/snd/pcmC0D10p + /dev/snd/pcmC0D9p + /dev/snd/pcmC0D8p + /dev/snd/pcmC0D7p + /dev/snd/pcmC0D0p + /dev/snd/pcmC1D0c + /dev/snd/pcmC1D0p + /dev/snd/seq + /dev/snd/timer + /dev/vhost-vsock + /dev/snd/pcmC0D3p + /dev/vfio/vfio + /dev/snd/controlC1 + /dev/net/tun + /dev/usb/hiddev0 + /dev/zram0 + /dev/dm-1 + /dev/dri/card0 + /dev/dri/renderD128 + /dev/nvme0n1p3 + /dev/ng0n1 + /dev/nvme0 + /dev/hidraw1 + /dev/cpu_dma_latency + /dev/pts/0 + /dev/pts/1 + /dev/pts/ptmx + /dev/bus/usb/007/001 + /dev/btrfs-control + /dev/bus/usb/004/001 + /dev/mapper/control + /dev/input/mouse1 + /dev/input/event21 + /dev/input/mouse0 + /dev/input/event20 + /dev/input/event19 + /dev/input/event18 + /dev/input/event17 + /dev/input/event9 + /dev/input/event8 + /dev/input/event15 + /dev/input/event14 + /dev/input/event13 + /dev/input/event11 + /dev/input/event10 + /dev/input/mouse2 + /dev/input/event7 + /dev/input/event6 + /dev/input/event5 + /dev/input/event4 + /dev/input/event3 + /dev/input/event2 + /dev/input/event1 + /dev/input/event0 + /dev/input/mice + /dev/usbmon8 + /dev/bus/usb/008/001 + /dev/input/event12 + /dev/bus/usb/005/002 + /dev/bus/usb/002/001 + /dev/bus/usb/006/002 + /dev/bus/usb/006/001 + /dev/dma_heap/system + /dev/bus/usb/005/001 + /dev/raw/rawctl + /dev/bus/usb/003/004 + /dev/usbmon1 + /dev/bus/usb/003/003 + /dev/bus/usb/003/002 + /dev/bus/usb/003/001 + /dev/cpu/6/cpuid + /dev/bus/usb/001/001 + /dev/cpu/5/cpuid + /dev/cpu/4/cpuid + /dev/cpu/7/cpuid + /dev/cpu/7/msr + /dev/cpu/3/cpuid + /dev/cpu/6/msr + /dev/cpu/2/cpuid + /dev/cpu/5/msr + /dev/cpu/1/cpuid + /dev/cpu/4/msr + /dev/cpu/0/cpuid + /dev/cpu/3/msr + /dev/cpu/2/msr + /dev/cpu/1/msr + /dev/cpu/0/msr + /dev/kvm + /dev/loop1 + /dev/hwrng + /dev/nvram + /dev/hpet + + + + + + \nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug\n + + + \nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.*\npassword[\s]+required[\s]+pam_pkcs11.so\n + + + \nauth[\s]+required[\s]+pam_env.so\nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s]login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid\nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s]pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n + + + + + + + + 0 + + + + 0 + + + + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /usr/share/crypto-policies/DEFAULT/krb5.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 7 + 2 + 0 + 23 + 027 + + + + 0 + + + + + + + + + + + + + + + + + /dev/cdrom + + + + ^/etc/rsyslog.conf$ + + + + Referenced variable has no values (oval:ssg-var_rfg_include_config_regex:var:1). + + + ^/etc/rsyslog.conf$ + + + + Referenced variable has no values (oval:ssg-var_rfo_include_config_regex:var:1). + + + ^/etc/rsyslog.conf$ + + + + Referenced variable has no values (oval:ssg-var_rfp_include_config_regex:var:1). + + + 18 + 022 + 2 + 2 + 0 + + + + + + + + + + + + + + + + /proc/1343/coredump_filter + /proc/1343 + coredump_filter + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/sessionid + /proc/1343 + sessionid + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/loginuid + /proc/1343 + loginuid + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/oom_score_adj + /proc/1343 + oom_score_adj + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/oom_adj + /proc/1343 + oom_adj + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/oom_score + /proc/1343 + oom_score + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/cpu_resctrl_groups + /proc/1343 + cpu_resctrl_groups + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/cgroup + /proc/1343 + cgroup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/cpuset + /proc/1343 + cpuset + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/latency + /proc/1343 + latency + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/motd + /etc + motd + regular + 0 + 0 + 1628085891 + 1622809331 + 1592892703 + 0 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /proc/1343/schedstat + /proc/1343 + schedstat + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/stack + /proc/1343 + stack + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/wchan + /proc/1343 + wchan + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/pagemap + /proc/1343 + pagemap + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/smaps_rollup + /proc/1343 + smaps_rollup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/smaps + /proc/1343 + smaps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/clear_refs + /proc/1343 + clear_refs + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/mountstats + /proc/1343 + mountstats + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/mountinfo + /proc/1343 + mountinfo + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/mounts + /proc/1343 + mounts + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/issue + /etc + issue + symbolic link + 0 + 0 + 1629099980 + 1622809331 + 1618252698 + 16 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /proc/1343/mem + /proc/1343 + mem + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/numa_maps + /proc/1343 + numa_maps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/maps + /proc/1343 + maps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/statm + /proc/1343 + statm + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/stat + /proc/1343 + stat + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/cmdline + /proc/1343 + cmdline + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/syscall + /proc/1343 + syscall + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/comm + /proc/1343 + comm + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/timens_offsets + /proc/1343 + timens_offsets + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/autogroup + /proc/1343 + autogroup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/dnf/dnf.conf + /etc/dnf + dnf.conf + ^\s*gpgcheck\s*=\s*1\s*$ + 1 + ^\s*gpgcheck\s*=\s*1\s*$ + gpgcheck=1 + + + /proc/1343/sched + /proc/1343 + sched + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/limits + /proc/1343 + limits + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/personality + /proc/1343 + personality + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/status + /proc/1343 + status + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/auxv + /proc/1343 + auxv + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/environ + /proc/1343 + environ + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/arch_status + /proc/1332 + arch_status + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/patch_state + /proc/1332 + patch_state + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/timerslack_ns + /proc/1332 + timerslack_ns + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/timers + /proc/1332 + timers + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/setgroups + /proc/1332 + setgroups + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/projid_map + /proc/1332 + projid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/gid_map + /proc/1332 + gid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/uid_map + /proc/1332 + uid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/io + /proc/1332 + io + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/coredump_filter + /proc/1332 + coredump_filter + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/sessionid + /proc/1332 + sessionid + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/loginuid + /proc/1332 + loginuid + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/oom_score_adj + /proc/1332 + oom_score_adj + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/oom_adj + /proc/1332 + oom_adj + system_u + system_r + unconfined_service_t + s0 + s0 + + + multi-user.target + basic.target + sysinit.target + veritysetup.target + sys-kernel-config.mount + lvm2-lvmpolld.socket + systemd-ask-password-console.path + ldconfig.service + systemd-hwdb-update.service + plymouth-read-write.service + swap.target + dev-mapper-fedora_localhost\x2d\x2dlive\x2dswap.swap + dev-zram0.swap + import-state.service + systemd-sysusers.service + local-fs.target + home.mount + -.mount + boot-efi.mount + boot.mount + systemd-remount-fs.service + systemd-fsck-root.service + tmp.mount + ostree-remount.service + systemd-journal-flush.service + sys-kernel-tracing.mount + proc-sys-fs-binfmt_misc.automount + kmod-static-nodes.service + systemd-journal-catalog-update.service + systemd-udev-trigger.service + systemd-machine-id-commit.service + systemd-modules-load.service + systemd-firstboot.service + systemd-tmpfiles-setup-dev.service + sys-kernel-debug.mount + selinux-autorelabel-mark.service + dev-hugepages.mount + systemd-update-done.service + systemd-repart.service + multipathd.service + systemd-udevd.service + systemd-boot-system-token.service + systemd-journald.service + sys-fs-fuse-connections.mount + systemd-tmpfiles-setup.service + dracut-shutdown.service + dev-mqueue.mount + systemd-binfmt.service + systemd-random-seed.service + systemd-sysctl.service + cryptsetup.target + systemd-cryptsetup@luks\x2dd6e9ed6a\x2da261\x2d4e3c\x2da325\x2d4794ab4551bb.service + lvm2-monitor.service + plymouth-start.service + systemd-update-utmp.service + low-memory-monitor.service + slices.target + system.slice + -.slice + paths.target + sockets.target + systemd-udevd-control.socket + iscsiuio.socket + dbus.socket + sssd-kcm.socket + cups.socket + virtlockd.socket + pcscd.socket + systemd-journald-dev-log.socket + systemd-coredump.socket + snapd.socket + systemd-journald.socket + libvirtd-ro.socket + multipathd.socket + iscsid.socket + avahi-daemon.socket + dm-event.socket + systemd-journald-audit.socket + systemd-udevd-kernel.socket + systemd-initctl.socket + virtlogd.socket + libvirtd.socket + rpmdb-rebuild.service + timers.target + unbound-anchor.timer + logrotate.timer + mlocate-updatedb.timer + dnf-makecache.timer + fstrim.timer + systemd-tmpfiles-clean.timer + sshd.service + var-lib-snapd-snap-core-10823.mount + sssd.service + vboxservice.service + firewalld.service + nfs-client.target + auth-rpcgss-module.service + rpc-statd-notify.service + remote-fs-pre.target + systemd-ask-password-wall.path + auditd.service + abrtd.service + lm_sensors.service + avahi-daemon.service + systemd-oomd.service + mdmonitor.service + rngd.service + ModemManager.service + systemd-update-utmp-runlevel.service + thermald.service + vmtoolsd.service + abrt-xorg.service + livesys.service + abrt-oops.service + plymouth-quit.service + cups.path + crond.service + abrt-journal-core.service + var-lib-snapd-snap-intellij\x2didea\x2dcommunity-270.mount + cups-browsed.service + plymouth-quit-wait.service + var-lib-snapd-snap-intellij\x2didea\x2dcommunity-273.mount + livesys-late.service + var-lib-snapd-snap-core-10583.mount + getty.target + getty@tty1.service + systemd-resolved.service + chronyd.service + systemd-user-sessions.service + flatpak-add-fedora-repos.service + mcelog.service + abrt-vmcore.service + netcf-transaction.service + atd.service + cups.service + systemd-logind.service + remote-fs.target + iscsi.service + var-lib-machines.mount + libvirtd.service + NetworkManager.service + + + /proc/1332/oom_score + /proc/1332 + oom_score + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/cpu_resctrl_groups + /proc/1332 + cpu_resctrl_groups + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/cgroup + /proc/1332 + cgroup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/cpuset + /proc/1332 + cpuset + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/latency + /proc/1332 + latency + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/schedstat + /proc/1332 + schedstat + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/stack + /proc/1332 + stack + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/wchan + /proc/1332 + wchan + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/pagemap + /proc/1332 + pagemap + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/smaps_rollup + /proc/1332 + smaps_rollup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/yum.repos.d/_copr:copr.devel.redhat.com:rhcopr-project:toolset.repo + /etc/yum.repos.d + _copr:copr.devel.redhat.com:rhcopr-project:toolset.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + /proc/1332/smaps + /proc/1332 + smaps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/clear_refs + /proc/1332 + clear_refs + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/mountstats + /proc/1332 + mountstats + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/mountinfo + /proc/1332 + mountinfo + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/mounts + /proc/1332 + mounts + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/mem + /proc/1332 + mem + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/numa_maps + /proc/1332 + numa_maps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/maps + /proc/1332 + maps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/statm + /proc/1332 + statm + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/stat + /proc/1332 + stat + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/yum.repos.d/_copr:copr.devel.redhat.com:kdudka:covscan-testing.repo + /etc/yum.repos.d + _copr:copr.devel.redhat.com:kdudka:covscan-testing.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + /proc/1332/cmdline + /proc/1332 + cmdline + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/syscall + /proc/1332 + syscall + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/comm + /proc/1332 + comm + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/timens_offsets + /proc/1332 + timens_offsets + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/autogroup + /proc/1332 + autogroup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/sched + /proc/1332 + sched + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/limits + /proc/1332 + limits + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/personality + /proc/1332 + personality + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/status + /proc/1332 + status + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1332/auxv + /proc/1332 + auxv + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/yum.repos.d/beaker-client.repo + /etc/yum.repos.d + beaker-client.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + + /proc/1332/environ + /proc/1332 + environ + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/cmdline + /proc + cmdline + ^BOOT_IMAGE(.*)$ + 1 + ^BOOT_IMAGE(.*)$ + BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.13.8-200.fc34.x86_64 root=/dev/mapper/fedora_localhost--live-root ro resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-d6e9ed6a-a261-4e3c-a325-4794ab4551bb rd.lvm.lv=fedora_localhost-live/swap rhgb quiet + =(hd0,gpt2)/vmlinuz-5.13.8-200.fc34.x86_64 root=/dev/mapper/fedora_localhost--live-root ro resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-d6e9ed6a-a261-4e3c-a325-4794ab4551bb rd.lvm.lv=fedora_localhost-live/swap rhgb quiet + + + /etc/selinux/config + /etc/selinux + config + ^SELINUX=(.*)$ + 1 + ^SELINUX=(.*)$ + SELINUX=enforcing + enforcing + + + policycoreutils + x86_64 + (none) + 1.fc34 + 3.2 + 0:3.2-1.fc34 + 1161ae6945719a39 + policycoreutils-0:3.2-1.fc34.x86_64 + + + libselinux + x86_64 + (none) + 1.fc34 + 3.2 + 0:3.2-1.fc34 + 1161ae6945719a39 + libselinux-0:3.2-1.fc34.x86_64 + + + net.ipv6.conf.default.accept_redirects + 1 + + + net.ipv6.conf.default.max_addresses + 16 + + + net.ipv6.conf.all.accept_ra_pinfo + 1 + + + net.ipv6.conf.default.accept_ra_rtr_pref + 1 + + + net.ipv6.conf.default.autoconf + 1 + + + /etc/yum.repos.d/qa-tools.repo + /etc/yum.repos.d + qa-tools.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + + net.ipv6.conf.all.accept_ra_defrtr + 1 + + + net.ipv6.conf.default.accept_ra_defrtr + 1 + + + net.ipv6.conf.all.router_solicitations + -1 + + + net.ipv6.conf.all.autoconf + 1 + + + net.ipv6.conf.default.router_solicitations + -1 + + + net.ipv6.conf.default.accept_ra + 1 + + + net.ipv6.conf.default.accept_ra_pinfo + 1 + + + net.ipv6.conf.all.accept_ra_rtr_pref + 1 + + + net.ipv6.conf.all.max_addresses + 16 + + + /etc/netconfig + /etc + netconfig + ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ + 1 + ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ + tcp6 tpi_cots_ord v inet6 tcp - - + + + /etc/yum.repos.d/_copr:copr.devel.redhat.com:kdudka:covscan.repo + /etc/yum.repos.d + _copr:copr.devel.redhat.com:kdudka:covscan.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + /etc/netconfig + /etc + netconfig + ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ + 1 + ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ + udp6 tpi_clts v inet6 udp - - + + + net.ipv6.conf.all.disable_ipv6 + 0 + + + net.ipv4.conf.all.secure_redirects + 1 + + + net.ipv4.conf.all.rp_filter + 0 + + + net.ipv4.tcp_syncookies + 1 + + + net.ipv4.icmp_echo_ignore_broadcasts + 1 + + + net.ipv4.conf.default.secure_redirects + 1 + + + net.ipv4.ip_local_port_range + 32768 60999 + + + net.ipv4.conf.default.accept_redirects + 1 + + + net.ipv4.conf.all.accept_redirects + 0 + + + /etc/yum.repos.d/_copr:copr.devel.redhat.com:lpol:qa-tools.repo + /etc/yum.repos.d + _copr:copr.devel.redhat.com:lpol:qa-tools.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + net.ipv4.conf.default.accept_source_route + 0 + + + /usr/lib/sysctl.d/50-default.conf + /usr/lib/sysctl.d + 50-default.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + 1 + (?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n + # Do not accept source routing +net.ipv4.conf.default.accept_source_route = 0 + + 0 + + + net.ipv4.conf.default.log_martians + 0 + + + net.ipv4.conf.all.log_martians + 0 + + + net.ipv4.conf.default.rp_filter + 2 + + + /usr/lib/sysctl.d/50-default.conf + /usr/lib/sysctl.d + 50-default.conf + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + 1 + (?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n + # Source route verification +net.ipv4.conf.default.rp_filter = 2 + + 2 + + + net.ipv4.icmp_ignore_bogus_error_responses + 1 + + + net.ipv4.conf.all.accept_source_route + 0 + + + net.ipv4.conf.default.send_redirects + 1 + + + net.ipv4.conf.all.send_redirects + 1 + + + /etc/yum.repos.d/_copr:copr.devel.redhat.com:kdudka:mock.repo + /etc/yum.repos.d + _copr:copr.devel.redhat.com:kdudka:mock.repo + ^\s*gpgcheck\s*=\s*0\s*$ + 1 + ^\s*gpgcheck\s*=\s*0\s*$ + gpgcheck=0 + + + net.ipv4.ip_forward + 1 + + + firewalld.service + ActiveState + active + + + firewalld + noarch + (none) + 1.fc34 + 0.9.4 + 0:0.9.4-1.fc34 + 1161ae6945719a39 + firewalld-0:0.9.4-1.fc34.noarch + + + iptables.service + ActiveState + inactive + + + ip6tables.service + ActiveState + inactive + + + /proc/net/wireless + /proc/net + wireless + ^\s*[-\w]+: + 1 + ^\s*[-\w]+: + wlp0s20f3: + + + bluetooth.service + FragmentPath + /usr/lib/systemd/system/bluetooth.service + + + bluetooth.service + LoadState + loaded + + + bluetooth.service + ActiveState + active + + + bluez + x86_64 + (none) + 2.fc34 + 5.60 + 0:5.60-2.fc34 + 1161ae6945719a39 + bluez-0:5.60-2.fc34.x86_64 + + + gpg-pubkey + (none) + (none) + 490b0e11 + f7e257e6 + 0:f7e257e6-490b0e11 + 0 + gpg-pubkey-0:f7e257e6-490b0e11.(none) + + + oval:ssg-var_rfp_syslog_config:var:1 + ^/etc/rsyslog.conf$ + + + oval:ssg-var_rfg_syslog_config:var:1 + ^/etc/rsyslog.conf$ + + + oval:ssg-var_rfo_syslog_config:var:1 + ^/etc/rsyslog.conf$ + + + /etc/logrotate.conf + /etc + logrotate.conf + ^\s*(weekly|monthly|yearly)[\s#]*$ + 1 + ^\s*(weekly|monthly|yearly)[\s#]*$ + weekly + + weekly + + + /boot/efi + /dev/nvme0n1p1 + 2F21-03B8 + vfat + rw + relatime + fmask=0077 + dmask=0077 + codepage=437 + iocharset=ascii + shortname=winnt + errors=remount-ro + bind + 153296 + 7145 + 146151 + + + /home + /dev/mapper/fedora_localhost--live-home + 984e5d60-c3e6-4242-864c-8d5cde298dde + ext4 + rw + seclabel + relatime + bind + 38763872 + 30000371 + 8763501 + + + /tmp + tmpfs + + tmpfs + rw + seclabel + nosuid + nodev + size=16320736k + nr_inodes=409600 + inode64 + 4080184 + 1382908 + 2697276 + + + oval:ssg-var_removable_partition:var:1 + /dev/cdrom + + + /dev/shm + tmpfs + + tmpfs + rw + seclabel + nosuid + nodev + inode64 + 4080183 + 67125 + 4013058 + + + /etc/passwd- + /etc + passwd- + regular + 0 + 0 + 1622796917 + 1622809484 + 1607345518 + 2808 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + gpg-pubkey + (none) + (none) + 4615767f + 7fac5991 + 0:7fac5991-4615767f + 0 + gpg-pubkey-0:7fac5991-4615767f.(none) + + + /etc/shadow + /etc + shadow + regular + 0 + 0 + 1629099981 + 1622809484 + 1622809484 + 1474 + false + false + false + false + false + false + false + false + false + false + false + false + false + + + /etc/shadow- + /etc + shadow- + regular + 0 + 0 + 1622796919 + 1622809484 + 1607345518 + 1447 + false + false + false + false + false + false + false + false + false + false + false + false + false + + + /etc/group + /etc + group + regular + 0 + 0 + 1629099969 + 1622811788 + 1622811788 + 1252 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /etc/gshadow + /etc + gshadow + regular + 0 + 0 + 1624012971 + 1622811788 + 1622811788 + 1014 + false + false + false + false + false + false + false + false + false + false + false + false + false + + + /etc/passwd + /etc + passwd + regular + 0 + 0 + 1629099969 + 1622809484 + 1622809484 + 2875 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /etc/gshadow- + /etc + gshadow- + regular + 0 + 0 + 1622811788 + 1622811788 + 1622810787 + 1005 + false + false + false + false + false + false + false + false + false + false + false + false + false + + + /etc/group- + /etc + group- + regular + 0 + 0 + 1622810791 + 1622811788 + 1622810787 + 1241 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /var/log/ + + directory + 0 + 0 + 1629101608 + 1629101520 + 1629101520 + 4096 + false + false + false + true + true + true + true + false + true + true + false + true + false + + + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content/compote.xul + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content + compote.xul + regular + 0 + 0 + 1629119724 + 1628586845 + 1267189844 + 559 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content/compote.js + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content + compote.js + regular + 0 + 0 + 1629119724 + 1628586845 + 1267196925 + 3888 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + gpg-pubkey + (none) + (none) + 5dadbc64 + 94843c65 + 0:94843c65-5dadbc64 + 0 + gpg-pubkey-0:94843c65-5dadbc64.(none) + + + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content/mimic.js + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content + mimic.js + regular + 0 + 0 + 1629119724 + 1628586845 + 1267189850 + 8099 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome.manifest + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext + chrome.manifest + regular + 0 + 0 + 1629119724 + 1628586845 + 1265129231 + 122 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/install.rdf + /lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext + install.rdf + regular + 0 + 0 + 1629119724 + 1628586845 + 1311250848 + 1275 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content/compote.xul + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content + compote.xul + regular + 0 + 0 + 1629119724 + 1628586845 + 1267189844 + 559 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content/compote.js + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content + compote.js + regular + 0 + 0 + 1629119724 + 1628586845 + 1267196925 + 3888 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content/mimic.js + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome/content + mimic.js + regular + 0 + 0 + 1629119724 + 1628586845 + 1267189850 + 8099 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/chrome.manifest + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext + chrome.manifest + regular + 0 + 0 + 1629119724 + 1628586845 + 1265129231 + 122 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext/install.rdf + /usr/lib64/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/compote@zelialovo.ext + install.rdf + regular + 0 + 0 + 1629119724 + 1628586845 + 1311250848 + 1275 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + gpg-pubkey + (none) + (none) + 5910b0f0 + 222d23d0 + 0:222d23d0-5910b0f0 + 0 + gpg-pubkey-0:222d23d0-5910b0f0.(none) + + + gpg-pubkey + (none) + (none) + 5d5156ab + 12c944d0 + 0:12c944d0-5d5156ab + 0 + gpg-pubkey-0:12c944d0-5d5156ab.(none) + + + gpg-pubkey + (none) + (none) + 5f2c0192 + 45719a39 + 0:45719a39-5f2c0192 + 0 + gpg-pubkey-0:45719a39-5f2c0192.(none) + + + gpg-pubkey + (none) + (none) + 570c8cd3 + d38b4796 + 0:d38b4796-570c8cd3 + 0 + gpg-pubkey-0:d38b4796-570c8cd3.(none) + + + /var/lib/snapd/snap/core/10823/var/log/wtmp + /var/lib/snapd/snap/core/10823/var/log + wtmp + regular + 43 + 0 + 1612339800 + 1612339800 + 1612339800 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + + + + /var/lib/snapd/snap/core/10823/var/log/lastlog + /var/lib/snapd/snap/core/10823/var/log + lastlog + regular + 43 + 0 + 1612339812 + 1612339812 + 1612339812 + 30660 + false + false + false + true + true + false + true + true + false + true + false + false + + + + /var/lib/snapd/snap/core/10823/var/log/btmp + /var/lib/snapd/snap/core/10823/var/log + btmp + regular + 43 + 0 + 1612339800 + 1612339800 + 1612339800 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + + + + /var/lib/snapd/snap/core/10823/run/utmp + /var/lib/snapd/snap/core/10823/run + utmp + regular + 43 + 0 + 1612339800 + 1612339800 + 1612339800 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + + + + /var/lib/snapd/snap/core/10823/etc/ppp/peers/provider + /var/lib/snapd/snap/core/10823/etc/ppp/peers + provider + regular + 30 + 0 + 1612339913 + 1612339913 + 1612339913 + 1093 + false + false + false + true + true + false + true + false + false + false + false + false + + + + /var/lib/snapd/snap/core/10823/etc/chatscripts/provider + /var/lib/snapd/snap/core/10823/etc/chatscripts + provider + regular + 30 + 0 + 1612339913 + 1612339913 + 1612339913 + 656 + false + false + false + true + true + false + true + false + false + false + false + false + + + + /var/lib/snapd/snap/core/10823/dev/agpgart + /var/lib/snapd/snap/core/10823/dev + agpgart + character special + 44 + 0 + 1612339809 + 1612339809 + 1612339809 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + + + + /var/lib/snapd/snap/core/10583/var/log/wtmp + /var/lib/snapd/snap/core/10583/var/log + wtmp + regular + 43 + 0 + 1608065782 + 1608065782 + 1608065782 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + + + + /var/lib/snapd/snap/core/10583/var/log/lastlog + /var/lib/snapd/snap/core/10583/var/log + lastlog + regular + 43 + 0 + 1608065805 + 1608065805 + 1608065805 + 30660 + false + false + false + true + true + false + true + true + false + true + false + false + + + + gpg-pubkey + (none) + (none) + 5ca9b41f + 6dc1be18 + 0:6dc1be18-5ca9b41f + 0 + gpg-pubkey-0:6dc1be18-5ca9b41f.(none) + + + /var/lib/snapd/snap/core/10583/var/log/btmp + /var/lib/snapd/snap/core/10583/var/log + btmp + regular + 43 + 0 + 1608065782 + 1608065782 + 1608065782 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + + + + /var/lib/snapd/snap/core/10583/run/utmp + /var/lib/snapd/snap/core/10583/run + utmp + regular + 43 + 0 + 1608065782 + 1608065782 + 1608065782 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + + + + /var/lib/snapd/snap/core/10583/etc/ppp/peers/provider + /var/lib/snapd/snap/core/10583/etc/ppp/peers + provider + regular + 30 + 0 + 1608065906 + 1608065906 + 1608065906 + 1093 + false + false + false + true + true + false + true + false + false + false + false + false + + + + /var/lib/snapd/snap/core/10583/etc/chatscripts/provider + /var/lib/snapd/snap/core/10583/etc/chatscripts + provider + regular + 30 + 0 + 1608065906 + 1608065906 + 1608065906 + 656 + false + false + false + true + true + false + true + false + false + false + false + false + + + + /var/lib/snapd/snap/core/10583/dev/agpgart + /var/lib/snapd/snap/core/10583/dev + agpgart + character special + 44 + 0 + 1608065799 + 1608065799 + 1608065799 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + + + + gpg-pubkey + (none) + (none) + 5ca9b382 + 100bcd92 + 0:100bcd92-5ca9b382 + 0 + gpg-pubkey-0:100bcd92-5ca9b382.(none) + + + gpg-pubkey + (none) + (none) + 5dadbbc1 + d651ff2e + 0:d651ff2e-5dadbbc1 + 0 + gpg-pubkey-0:d651ff2e-5dadbbc1.(none) + + + gpg-pubkey + (none) + (none) + 5631588c + be1229cf + 0:be1229cf-5631588c + 0 + gpg-pubkey-0:be1229cf-5631588c.(none) + + + /etc/system-release-cpe + /etc + system-release-cpe + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + 1 + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + cpe:/o:fedoraproject:fedora:34 + + + fedora-release-workstation + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-workstation-0:34-1.noarch + + + fedora-release-common + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-common-0:34-1.noarch + + + fedora-release-identity-workstation + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-identity-workstation-0:34-1.noarch + + + /boot + /dev/nvme0n1p2 + 2d18d46f-1b02-4460-a943-6e00e4ad8f2b + ext4 + rw + seclabel + relatime + bind + 249830 + 64712 + 185118 + + + /home + /dev/mapper/fedora_localhost--live-home + 984e5d60-c3e6-4242-864c-8d5cde298dde + ext4 + rw + seclabel + relatime + bind + 38763872 + 29999914 + 8763958 + + + fs.protected_symlinks + 1 + + + /usr/lib/sysctl.d/50-default.conf + /usr/lib/sysctl.d + 50-default.conf + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + 1 + ^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$ + fs.protected_symlinks = 1 + + + + /tmp + tmpfs + + tmpfs + rw + seclabel + nosuid + nodev + size=16320736k + nr_inodes=409600 + inode64 + 4080184 + 1383013 + 2697171 + + + fs.protected_hardlinks + 1 + + + /usr/lib/sysctl.d/50-default.conf + /usr/lib/sysctl.d + 50-default.conf + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + 1 + ^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$ + fs.protected_hardlinks = 1 + + + /dev/shm/lttng-ust-wait-8 + /dev/shm + lttng-ust-wait-8 + regular + 1000 + 1000 + 1629116483 + 1629101640 + 1629101640 + 4096 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/7/e/stats + /home/jrodak/.ccache/7/e + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/7/b/stats + /home/jrodak/.ccache/7/b + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/8/3/stats + /home/jrodak/.ccache/8/3 + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/8/2/stats + /home/jrodak/.ccache/8/2 + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/8/8/stats + /home/jrodak/.ccache/8/8 + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/8/4/stats + /home/jrodak/.ccache/8/4 + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.ccache/8/5/stats + /home/jrodak/.ccache/8/5 + stats + regular + 1000 + 1000 + 1628083908 + 1628083908 + 1628083908 + 66 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /etc/gdm/custom.conf + /etc/gdm + custom.conf + regular + 0 + 0 + 1629099981 + 1628416234 + 1627053375 + 227 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /home/jrodak/Pictures/wallpaper.png + /home/jrodak/Pictures + wallpaper.png + regular + 1000 + 1000 + 1629100019 + 1595291600 + 1568589524 + 4078331 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64/System.Composition.TypedParts.dll + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64 + System.Composition.TypedParts.dll + regular + 1000 + 1000 + 1622803221 + 1617025161 + 1617025160 + 64760 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64/System.Composition.Runtime.dll + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64 + System.Composition.Runtime.dll + regular + 1000 + 1000 + 1622803221 + 1617025161 + 1617025160 + 29928 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64/System.Composition.AttributedModel.dll + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64 + System.Composition.AttributedModel.dll + regular + 1000 + 1000 + 1622803221 + 1617025161 + 1617025160 + 24840 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64/System.Composition.Hosting.dll + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64 + System.Composition.Hosting.dll + regular + 1000 + 1000 + 1622803221 + 1617025161 + 1617025160 + 62184 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64/System.Composition.Convention.dll + /home/jrodak/.config/Code/User/globalStorage/github.vscode-codeql/distribution1/codeql/csharp/tools/linux64 + System.Composition.Convention.dll + regular + 1000 + 1000 + 1622803221 + 1617025161 + 1617025160 + 59128 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/632560aa0dc5dc1d/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/632560aa0dc5dc1d + mmap_address.bin + regular + 1000 + 1000 + 1628086409 + 1628086409 + 1628086409 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/632560aa0dc5dc1d/oscap-tool.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/632560aa0dc5dc1d + oscap-tool.ipch + regular + 1000 + 1000 + 1628086409 + 1628086409 + 1628086409 + 10960896 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/7fda47f6229a6a7d/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/7fda47f6229a6a7d + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1606082933 + 1606082933 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ee8427454b63bf0f/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/ee8427454b63bf0f + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1613663179 + 1613663179 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /etc/dconf/profile/user + /etc/dconf/profile + user + ^user-db:user\nsystem-db:local$ + 1 + ^user-db:user\nsystem-db:local$ + user-db:user +system-db:local + + + /home/jrodak/.cache/vscode-cpptools/ipch/ee8427454b63bf0f/tdd_tests.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/ee8427454b63bf0f + tdd_tests.ipch + regular + 1000 + 1000 + 1622803145 + 1613913301 + 1613913301 + 108961792 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/12e3f54302100ab/max_value_of_three_nums.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/12e3f54302100ab + max_value_of_three_nums.ipch + regular + 1000 + 1000 + 1622803146 + 1613992142 + 1613992142 + 1564672 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/44e98ccf2077206e/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/44e98ccf2077206e + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1613663134 + 1613663134 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/b3310d8ffd7cb3c8/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/b3310d8ffd7cb3c8 + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1613663419 + 1613663419 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/5622c0a00ba9deec/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/5622c0a00ba9deec + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1607973197 + 1607973197 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/5622c0a00ba9deec/cv13_.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/5622c0a00ba9deec + cv13_.ipch + regular + 1000 + 1000 + 1622803145 + 1608023448 + 1608023448 + 1892352 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/a79f2c82fe6b0854/cv10.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/a79f2c82fe6b0854 + cv10.ipch + regular + 1000 + 1000 + 1622803146 + 1613992201 + 1613992201 + 2744320 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/4870d43d86a3abec/todo.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/4870d43d86a3abec + todo.ipch + regular + 1000 + 1000 + 1622803146 + 1613992135 + 1613992135 + 1564672 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/70fa1842a704dead/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/70fa1842a704dead + mmap_address.bin + regular + 1000 + 1000 + 1622803149 + 1606083005 + 1606083005 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/70fa1842a704dead/sheet.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/70fa1842a704dead + sheet.ipch + regular + 1000 + 1000 + 1622803149 + 1619167177 + 1619167177 + 2023424 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + oval:ssg-var_dconf_local_db_modified_time:var:1 + 703575 + + + /home/jrodak/.cache/vscode-cpptools/ipch/9675ef38364ee9e7/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/9675ef38364ee9e7 + mmap_address.bin + regular + 1000 + 1000 + 1622803148 + 1615393953 + 1615393953 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/9675ef38364ee9e7/calc.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/9675ef38364ee9e7 + calc.ipch + regular + 1000 + 1000 + 1622803148 + 1615394986 + 1615394986 + 41123840 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e8f103f12b026ef/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/e8f103f12b026ef + mmap_address.bin + regular + 1000 + 1000 + 1622803147 + 1614116171 + 1614116171 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e8f103f12b026ef/tdd_tests.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/e8f103f12b026ef + tdd_tests.ipch + regular + 1000 + 1000 + 1622803147 + 1615502386 + 1615502386 + 105414656 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1407253684ae087a/main_CV5.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/1407253684ae087a + main_CV5.ipch + regular + 1000 + 1000 + 1622803149 + 1604964826 + 1604964826 + 1499136 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1ea9860be12108a/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/1ea9860be12108a + mmap_address.bin + regular + 1000 + 1000 + 1628083909 + 1628083909 + 1628083909 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1ea9860be12108a/oscap-cvrf.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/1ea9860be12108a + oscap-cvrf.ipch + regular + 1000 + 1000 + 1628083909 + 1628083909 + 1628083909 + 11157504 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/5eb93f5b6f702f1d/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/5eb93f5b6f702f1d + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1605004087 + 1605004087 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/eaee85d564f4995b/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/eaee85d564f4995b + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1605004086 + 1605004086 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/451f6a759eac864e/file.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/451f6a759eac864e + file.ipch + regular + 1000 + 1000 + 1622803149 + 1613992155 + 1613992155 + 1564672 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /etc/dconf/db/local + /etc/dconf/db + local + regular + 0 + 0 + 1629099988 + 1628416221 + 1628416221 + 104 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/58413b39cd4fbdde/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/58413b39cd4fbdde + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1607211346 + 1607211346 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/58413b39cd4fbdde/spc.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/58413b39cd4fbdde + spc.ipch + regular + 1000 + 1000 + 1622803145 + 1607211346 + 1607211346 + 2023424 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/d8895c06caf9e07/flex.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/d8895c06caf9e07 + flex.ipch + regular + 1000 + 1000 + 1622803146 + 1613992155 + 1613992155 + 1564672 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/805025766b9c1cdf/CV6.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/805025766b9c1cdf + CV6.ipch + regular + 1000 + 1000 + 1622803146 + 1613992170 + 1613992170 + 1826816 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/78e2ef7c42668fb/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/78e2ef7c42668fb + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1606818103 + 1606818103 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/78e2ef7c42668fb/fib.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/78e2ef7c42668fb + fib.ipch + regular + 1000 + 1000 + 1622803145 + 1613992150 + 1613992150 + 1826816 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/190a5482cf38120e/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/190a5482cf38120e + mmap_address.bin + regular + 1000 + 1000 + 1622803148 + 1614110688 + 1614110688 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/424f1c5726f95634/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/424f1c5726f95634 + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1613663208 + 1613663208 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/c1effc3d5453f73a/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/c1effc3d5453f73a + mmap_address.bin + regular + 1000 + 1000 + 1622803148 + 1615393961 + 1615393961 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/c1effc3d5453f73a/profiling.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/c1effc3d5453f73a + profiling.ipch + regular + 1000 + 1000 + 1622803148 + 1615395210 + 1615395210 + 41123840 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + dconf + x86_64 + (none) + 3.fc34 + 0.40.0 + 0:0.40.0-3.fc34 + 1161ae6945719a39 + dconf-0:0.40.0-3.fc34.x86_64 + + + /home/jrodak/.cache/vscode-cpptools/ipch/ac476b2f3c2913a5/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/ac476b2f3c2913a5 + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1618864974 + 1618864974 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ac476b2f3c2913a5/proj2.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/ac476b2f3c2913a5 + proj2.ipch + regular + 1000 + 1000 + 1622803146 + 1618865399 + 1618865399 + 1826816 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e243438bffa621ba/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/e243438bffa621ba + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1618174454 + 1618174454 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/252e5d1fe2e1640f/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/252e5d1fe2e1640f + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1606759590 + 1606759590 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/252e5d1fe2e1640f/sps.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/252e5d1fe2e1640f + sps.ipch + regular + 1000 + 1000 + 1622803146 + 1606833445 + 1606833445 + 2023424 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/8f3b9ee3c08e888a/hello.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/8f3b9ee3c08e888a + hello.ipch + regular + 1000 + 1000 + 1622803149 + 1613992160 + 1613992160 + 1695744 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ba1cbd5b9ff34e87/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/ba1cbd5b9ff34e87 + mmap_address.bin + regular + 1000 + 1000 + 1628083963 + 1628083963 + 1628083963 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ba1cbd5b9ff34e87/oscap-oval.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/ba1cbd5b9ff34e87 + oscap-oval.ipch + regular + 1000 + 1000 + 1628083963 + 1628083963 + 1628083963 + 11288576 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/365f82bfcfb11a1e/pole.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/365f82bfcfb11a1e + pole.ipch + regular + 1000 + 1000 + 1622803149 + 1613992144 + 1613992144 + 1564672 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/3dbd5d46f7fedab3/pointer.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/3dbd5d46f7fedab3 + pointer.ipch + regular + 1000 + 1000 + 1622803149 + 1604964832 + 1604964832 + 1761280 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + gdm + x86_64 + 1 + 1.fc34 + 40.1 + 1:40.1-1.fc34 + 1161ae6945719a39 + gdm-1:40.1-1.fc34.x86_64 + + + /home/jrodak/.cache/vscode-cpptools/ipch/288eaf99665b4846/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/288eaf99665b4846 + mmap_address.bin + regular + 1000 + 1000 + 1622803148 + 1613928690 + 1613928690 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/288eaf99665b4846/idk_nwm.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/288eaf99665b4846 + idk_nwm.ipch + regular + 1000 + 1000 + 1622803148 + 1613929034 + 1613929034 + 54411264 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/283f5869b8bad9cb/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/283f5869b8bad9cb + mmap_address.bin + regular + 1000 + 1000 + 1628086211 + 1628084012 + 1628084012 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/46d168d461b99f5/test_loda.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/46d168d461b99f5 + test_loda.ipch + regular + 1000 + 1000 + 1622803146 + 1613992129 + 1613992129 + 1826816 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/57f240d14a726ebd/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/57f240d14a726ebd + mmap_address.bin + regular + 1000 + 1000 + 1622803148 + 1614191167 + 1614191167 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/57f240d14a726ebd/lol.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/57f240d14a726ebd + lol.ipch + regular + 1000 + 1000 + 1622803148 + 1614191955 + 1614191955 + 24526848 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/9ec66b18b7cf6ad/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/9ec66b18b7cf6ad + mmap_address.bin + regular + 1000 + 1000 + 1622803147 + 1614110069 + 1614110069 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/eefb5a933733cb18/test.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/eefb5a933733cb18 + test.ipch + regular + 1000 + 1000 + 1622803146 + 1613992191 + 1613992191 + 1564672 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1917abbc1434cec4/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/1917abbc1434cec4 + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1613663117 + 1613663117 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/592d6626bcb3eecd/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/592d6626bcb3eecd + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1618865460 + 1618865460 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e2d8eb3a1bcfa88e/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/e2d8eb3a1bcfa88e + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1607211103 + 1607211103 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e2d8eb3a1bcfa88e/sps.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/e2d8eb3a1bcfa88e + sps.ipch + regular + 1000 + 1000 + 1622803145 + 1607211103 + 1607211103 + 2023424 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/a4b33073949f7bcd/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/a4b33073949f7bcd + mmap_address.bin + regular + 1000 + 1000 + 1622803145 + 1613663125 + 1613663125 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/a4b33073949f7bcd/tdd_code.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/a4b33073949f7bcd + tdd_code.ipch + regular + 1000 + 1000 + 1622803145 + 1613928988 + 1613928988 + 3272704 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/881246766fbf5480/CV7.ipch + /home/jrodak/.cache/vscode-cpptools/ipch/881246766fbf5480 + CV7.ipch + regular + 1000 + 1000 + 1622803146 + 1605003452 + 1605003452 + 1761280 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/3cc4dbab62a0dd85/mmap_address.bin + /home/jrodak/.cache/vscode-cpptools/ipch/3cc4dbab62a0dd85 + mmap_address.bin + regular + 1000 + 1000 + 1622803146 + 1605288793 + 1605288793 + 8 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /home/jrodak/.config/Code/User/workspaceStorage/3e1f92b5644d65d96ed0dd9c18117153/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1607211989 + 1607211989 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/2e171c3928c50d501d5afda2666f3141/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1606834005 + 1606834005 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/626a2a948e2901518a2438174d603c30/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1618865784 + 1618865784 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/9941d9a8ccddeaba36876deae7a227af/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1628086606 + 1628086606 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /etc/sudoers.d/pkg-build + /etc/sudoers.d + pkg-build + ^[\s]*Defaults.*\brequiretty\b.*$ + 1 + ^[\s]*Defaults.*\brequiretty\b.*$ + Defaults:%pkg-build !requiretty + + + /home/jrodak/.config/Code/User/workspaceStorage/a2e89897d1c711dbd85e0bdb6e34dc4b/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1617311480 + 1617311480 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/aa28b96b92f2206b8d16577977917671/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1618175116 + 1618175116 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/d48a631fae3100c46169139d099361ed/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1612973991 + 1612973991 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/e551b3e7297f88383b4b0a2dacf9906b/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1619169621 + 1619169621 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/24977f564a2e581517ed7a7517aeb986/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1615507173 + 1615507173 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/bc89dc323f3a90789109ffd5295e9f89/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1614015890 + 1614015890 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/1e418c36a46c1c54480ca8c5b2a46317/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1605314331 + 1605314331 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/1cda0183e0a6198a30c0d51061765028/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1614014727 + 1614014727 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/69f617119b21b01c172af666cb0cb577/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1619960460 + 1619960460 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.config/Code/User/workspaceStorage/bb3d070eb9c016680066bd2b6acb9149/ms-vscode.cpptools + + directory + 1000 + 1000 + 1629119817 + 1618919120 + 1618919120 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /etc/sudoers.d/pkg-build + /etc/sudoers.d + pkg-build + ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ + %pkg-build ALL = (pkg-build) NOPASSWD: /usr/share/lpf/scripts/lpf-pkgbuild + + + /home/jrodak/.cache/vscode-cpptools/ipch/632560aa0dc5dc1d + + directory + 1000 + 1000 + 1629119806 + 1628086409 + 1628086409 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/7fda47f6229a6a7d + + directory + 1000 + 1000 + 1629119806 + 1612973580 + 1612973580 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ee8427454b63bf0f + + directory + 1000 + 1000 + 1629119806 + 1613912913 + 1613912913 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1afd049ae8b2d1be + + directory + 1000 + 1000 + 1629119806 + 1606759535 + 1606759535 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/f405330bc6ca5dc3 + + directory + 1000 + 1000 + 1629119806 + 1607276406 + 1607276406 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/44e98ccf2077206e + + directory + 1000 + 1000 + 1629119806 + 1614014594 + 1614014594 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/b3310d8ffd7cb3c8 + + directory + 1000 + 1000 + 1629119806 + 1614015341 + 1614015341 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/5622c0a00ba9deec + + directory + 1000 + 1000 + 1629119806 + 1607973198 + 1607973198 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/a79f2c82fe6b0854 + + directory + 1000 + 1000 + 1629119806 + 1613992163 + 1613992163 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/a28fdefc2d3837e + + directory + 1000 + 1000 + 1629119806 + 1606088583 + 1606088583 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /etc/sudoers.d/pkg-build + /etc/sudoers.d + pkg-build + ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ + 1 + ^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$ + %pkg-build ALL = (pkg-build) NOPASSWD: /usr/share/lpf/scripts/lpf-pkgbuild + + + /home/jrodak/.cache/vscode-cpptools/ipch/a8a87fcccc867554 + + directory + 1000 + 1000 + 1629119806 + 1614122164 + 1614122164 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/b1073d8303f52ee9 + + directory + 1000 + 1000 + 1629119806 + 1613992107 + 1613992107 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/502f8e4c12a9327c + + directory + 1000 + 1000 + 1629119806 + 1607212326 + 1607212326 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/70fa1842a704dead + + directory + 1000 + 1000 + 1629119806 + 1618865122 + 1618865122 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/9675ef38364ee9e7 + + directory + 1000 + 1000 + 1629119806 + 1615393953 + 1615393953 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e8f103f12b026ef + + directory + 1000 + 1000 + 1629119806 + 1615502386 + 1615502386 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1ea9860be12108a + + directory + 1000 + 1000 + 1629119806 + 1628083909 + 1628083909 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/5eb93f5b6f702f1d + + directory + 1000 + 1000 + 1629119806 + 1606084752 + 1606084752 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/eaee85d564f4995b + + directory + 1000 + 1000 + 1629119806 + 1613992118 + 1613992118 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/58413b39cd4fbdde + + directory + 1000 + 1000 + 1629119806 + 1607211346 + 1607211346 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /etc/sudoers + /etc + sudoers + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s] + 1 + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s] + Defaults env_keep = " + Defaults + env_keep + + + /home/jrodak/.cache/vscode-cpptools/ipch/78e2ef7c42668fb + + directory + 1000 + 1000 + 1629119806 + 1613992150 + 1613992150 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/190a5482cf38120e + + directory + 1000 + 1000 + 1629119806 + 1614276746 + 1614276746 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/3536a7d163ca7481 + + directory + 1000 + 1000 + 1629119806 + 1613741665 + 1613741665 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/424f1c5726f95634 + + directory + 1000 + 1000 + 1629119806 + 1614014414 + 1614014414 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/16338e1d121e0913 + + directory + 1000 + 1000 + 1629119806 + 1615502400 + 1615502400 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/3a3142a4c0d15c5e + + directory + 1000 + 1000 + 1629119806 + 1614191115 + 1614191115 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/c1effc3d5453f73a + + directory + 1000 + 1000 + 1629119806 + 1615393962 + 1615393962 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ac476b2f3c2913a5 + + directory + 1000 + 1000 + 1629119806 + 1618865154 + 1618865154 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e243438bffa621ba + + directory + 1000 + 1000 + 1629119806 + 1618174454 + 1618174454 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/252e5d1fe2e1640f + + directory + 1000 + 1000 + 1629119806 + 1606759590 + 1606759590 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /etc/sudoers.d/pkg-build + /etc/sudoers.d + pkg-build + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s] + 1 + ^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s] + +Cmnd_Alias LPF_COMMANDS = / + Cmnd_Alias + LPF_COMMANDS + + + /home/jrodak/.cache/vscode-cpptools/ipch/9fa15309176a75aa + + directory + 1000 + 1000 + 1629119806 + 1604975828 + 1604975828 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/965fb6aa8617cbe8 + + directory + 1000 + 1000 + 1629119806 + 1614277179 + 1614277179 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ba1cbd5b9ff34e87 + + directory + 1000 + 1000 + 1629119806 + 1628083963 + 1628083963 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/288eaf99665b4846 + + directory + 1000 + 1000 + 1629119806 + 1613929034 + 1613929034 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/283f5869b8bad9cb + + directory + 1000 + 1000 + 1629119806 + 1628086211 + 1628086211 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/46d168d461b99f5 + + directory + 1000 + 1000 + 1629119806 + 1613992129 + 1613992129 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1b6aa3f34bcb7281 + + directory + 1000 + 1000 + 1629119806 + 1613992123 + 1613992123 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/57f240d14a726ebd + + directory + 1000 + 1000 + 1629119806 + 1614191955 + 1614191955 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/9ec66b18b7cf6ad + + directory + 1000 + 1000 + 1629119806 + 1615502741 + 1615502741 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/1917abbc1434cec4 + + directory + 1000 + 1000 + 1629119806 + 1613663117 + 1613663117 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /etc/sudoers + /etc + sudoers + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) + 1 + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + + + /home/jrodak/.cache/vscode-cpptools/ipch/592d6626bcb3eecd + + directory + 1000 + 1000 + 1629119806 + 1619701636 + 1619701636 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/e2d8eb3a1bcfa88e + + directory + 1000 + 1000 + 1629119806 + 1607211103 + 1607211103 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/a4b33073949f7bcd + + directory + 1000 + 1000 + 1629119806 + 1613928988 + 1613928988 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/881246766fbf5480 + + directory + 1000 + 1000 + 1629119806 + 1604999883 + 1604999883 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/506d0e888438673e + + directory + 1000 + 1000 + 1629119806 + 1628086262 + 1628086262 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/ba0f5e83092d292a + + directory + 1000 + 1000 + 1629119806 + 1607459986 + 1607459986 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /home/jrodak/.cache/vscode-cpptools/ipch/3cc4dbab62a0dd85 + + directory + 1000 + 1000 + 1629119806 + 1605290110 + 1605290110 + 4096 + false + false + false + true + true + true + true + true + true + true + true + true + false + + + /boot/System.map-5.13.9-200.fc34.x86_64 + /boot + System.map-5.13.9-200.fc34.x86_64 + regular + 0 + 0 + 1628434196 + 1629101675 + 1628434196 + 5772381 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /boot/System.map-5.13.7-200.fc34.x86_64 + /boot + System.map-5.13.7-200.fc34.x86_64 + regular + 0 + 0 + 1627741577 + 1628416300 + 1627741577 + 5778794 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /boot/System.map-5.13.8-200.fc34.x86_64 + /boot + System.map-5.13.8-200.fc34.x86_64 + regular + 0 + 0 + 1628108158 + 1628586885 + 1628108158 + 5772381 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /etc/sudoers.d/pkg-build + /etc/sudoers.d + pkg-build + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) + 1 + ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) + Defaults:%pkg-build !requiretty + +Cmnd_Alias LPF_COMMANDS = /usr/sbin/usermod + /usr/sbin/usermod + + + oval:ssg-var_etc_init_d_functions_umask_as_number:var:1 + 18 + + + /etc/init.d/functions + /etc/init.d + functions + ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) + 1 + ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) + umask 022 + 022 + + + oval:ssg-var_umask_for_daemons_umask_as_number:var:1 + 18 + + + kernel.randomize_va_space + 2 + + + kernel.kptr_restrict + 0 + + + fs.suid_dumpable + 2 + + + systemd-coredump.socket + FragmentPath + /usr/lib/systemd/system/systemd-coredump.socket + + + systemd-coredump.socket + LoadState + loaded + + + systemd-coredump.socket + ActiveState + active + + + /proc/cpuinfo + /proc + cpuinfo + ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ + 1 + ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ + flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities + + + kernel.sysrq + 16 + + + kernel.perf_cpu_time_max_percent + 25 + + + kernel.perf_event_max_sample_rate + 79000 + + + kernel.unprivileged_bpf_disabled + 2 + + + kernel.dmesg_restrict + 0 + + + kernel.pid_max + 4194304 + + + user.max_user_namespaces + 127335 + + + net.core.bpf_jit_harden + 0 + + + vm.mmap_min_addr + 65536 + + + kernel.yama.ptrace_scope + 0 + + + sudo + x86_64 + (none) + 1.fc34 + 1.9.5p2 + 0:1.9.5p2-1.fc34 + 1161ae6945719a39 + sudo-0:1.9.5p2-1.fc34.x86_64 + + + kernel.kexec_load_disabled + 0 + + + kernel.modules_disabled + 0 + + + kernel.perf_event_paranoid + 2 + + + kernel.core_pattern + |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h + + + /usr/lib/sysctl.d/50-coredump.conf + /usr/lib/sysctl.d + 50-coredump.conf + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + 1 + ^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$ + kernel.core_pattern= + + + /etc/default/grub + /etc/default + grub + ^[ \t]*GRUB_CMDLINE_LINUX=([^#]*).*$ + 1 + ^[ \t]*GRUB_CMDLINE_LINUX=([^#]*).*$ + GRUB_CMDLINE_LINUX="resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-d6e9ed6a-a261-4e3c-a325-4794ab4551bb rd.lvm.lv=fedora_localhost-live/swap rhgb quiet" +GRUB_DISABLE_RECOVERY="true" +GRUB_ENABLE_BLSCFG=true + + "resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-d6e9ed6a-a261-4e3c-a325-4794ab4551bb rd.lvm.lv=fedora_localhost-live/swap rhgb quiet" +GRUB_DISABLE_RECOVERY="true" +GRUB_ENABLE_BLSCFG=true + + + + autofs.service + FragmentPath + /usr/lib/systemd/system/autofs.service + + + autofs.service + LoadState + loaded + + + autofs.service + ActiveState + inactive + + + autofs + x86_64 + 1 + 17.fc34 + 5.1.7 + 1:5.1.7-17.fc34 + 1161ae6945719a39 + autofs-1:5.1.7-17.fc34.x86_64 + + + krb5-workstation + x86_64 + (none) + 14.fc34 + 1.19.1 + 0:1.19.1-14.fc34 + 1161ae6945719a39 + krb5-workstation-0:1.19.1-14.fc34.x86_64 + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]* + 1 + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]* + local_events = + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + ^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + local_events = yes + yes + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ + admin_space_left_action = SUSPEND + SUSPEND + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]* + 1 + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]* + write_logs = + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + ^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + write_logs = yes + yes + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ + 1 + ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ + num_logs = 5 + 5 + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ + disk_error_action = SUSPEND + SUSPEND + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ + space_left_action = SYSLOG + SYSLOG + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)log_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + ^[ \t]*(?i)log_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + log_format = ENRICHED + ENRICHED + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + ^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + name_format = NONE + NONE + + + gssproxy + x86_64 + (none) + 2.fc34 + 0.8.4 + 0:0.8.4-2.fc34 + 1161ae6945719a39 + gssproxy-0:0.8.4-2.fc34.x86_64 + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ + max_log_file_action = ROTATE + ROTATE + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ + flush = INCREMENTAL_ASYNC + INCREMENTAL_ASYNC + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ + disk_full_action = SUSPEND + SUSPEND + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ + 1 + ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ + max_log_file = 8 + 8 + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ \t]*(?i)freq(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + 1 + ^[ \t]*(?i)freq(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) + freq = 50 + 50 + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ + 1 + ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ + action_mail_acct = root + root + + + oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1 + 114 + + + /opt/google/chrome/chrome-sandbox + /opt/google/chrome + chrome-sandbox + regular + 0 + 0 + 1627677964 + 1628086867 + 1627677964 + 208888 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/sbin/grub2-set-bootflag + /usr/sbin + grub2-set-bootflag + regular + 0 + 0 + 1629100165 + 1624014736 + 1623771709 + 15624 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/sbin/lockdev + /usr/sbin + lockdev + regular + 54 + 0 + 1629119621 + 1622809652 + 1611747510 + 20448 + false + true + false + true + true + true + false + false + true + false + false + true + false + + + geolite2-country + noarch + (none) + 4.fc34 + 20191217 + 0:20191217-4.fc34 + 1161ae6945719a39 + geolite2-country-0:20191217-4.fc34.noarch + + + /usr/sbin/mount.nfs + /usr/sbin + mount.nfs + regular + 0 + 0 + 1629119673 + 1625650007 + 1624284284 + 117696 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/sbin/userhelper + /usr/sbin + userhelper + regular + 0 + 0 + 1629119670 + 1624638498 + 1623873546 + 45240 + true + false + false + true + true + true + false + false + true + false + false + true + false + + + /usr/sbin/unix_chkpwd + /usr/sbin + unix_chkpwd + regular + 0 + 0 + 1629099988 + 1625064586 + 1623352949 + 24552 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/sbin/pam_timestamp_check + /usr/sbin + pam_timestamp_check + regular + 0 + 0 + 1629119671 + 1625064586 + 1623352949 + 16096 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/libexec/qemu-bridge-helper + /usr/libexec + qemu-bridge-helper + regular + 0 + 0 + 1629117339 + 1624441909 + 1623698262 + 119568 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache + /usr/libexec + abrt-action-install-debuginfo-to-abrt-cache + regular + 173 + 173 + 1629119658 + 1623496475 + 1622813489 + 16120 + false + true + false + true + true + true + true + false + true + true + false + true + false + + + /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper + /usr/libexec/spice-gtk-x86_64 + spice-client-glib-usb-acl-helper + regular + 0 + 0 + 1629119625 + 1622809661 + 1611890051 + 24512 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/libexec/dbus-1/dbus-daemon-launch-helper + /usr/libexec/dbus-1 + dbus-daemon-launch-helper + regular + 81 + 0 + 1629119557 + 1622809525 + 1611634153 + 36896 + true + false + false + true + true + true + true + false + true + false + false + false + false + + + /usr/libexec/openssh/ssh-keysign + /usr/libexec/openssh + ssh-keysign + regular + 985 + 0 + 1629119544 + 1622809535 + 1621858552 + 316792 + false + true + false + true + false + true + true + false + true + true + false + true + false + + + /usr/libexec/utempter/utempter + /usr/libexec/utempter + utempter + regular + 22 + 0 + 1629119542 + 1622809429 + 1611745215 + 16072 + false + true + false + true + true + true + false + false + true + false + false + true + false + + + geolite2-city + noarch + (none) + 4.fc34 + 20191217 + 0:20191217-4.fc34 + 1161ae6945719a39 + geolite2-city-0:20191217-4.fc34.noarch + + + /usr/libexec/snapd/snap-confine + /usr/libexec/snapd + snap-confine + regular + 0 + 0 + 1629119657 + 1623496475 + 1622527894 + 100048 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/libexec/Xorg.wrap + /usr/libexec + Xorg.wrap + regular + 0 + 0 + 1629119605 + 1622810693 + 1618397907 + 16408 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/lib/polkit-1/polkit-agent-helper-1 + /usr/lib/polkit-1 + polkit-agent-helper-1 + regular + 0 + 0 + 1629119513 + 1623086118 + 1622723352 + 24536 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/share/code/chrome-sandbox + /usr/share/code + chrome-sandbox + regular + 0 + 0 + 1629119702 + 1628260598 + 1628120130 + 50608 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/locate + /usr/bin + locate + regular + 21 + 0 + 1629119542 + 1622810791 + 1611757998 + 41088 + false + true + false + true + true + true + false + false + true + false + false + true + false + + + /usr/bin/at + /usr/bin + at + regular + 0 + 0 + 1629119610 + 1622809650 + 1611623910 + 57432 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/vmware-user-suid-wrapper + /usr/bin + vmware-user-suid-wrapper + regular + 0 + 0 + 1629100019 + 1627894012 + 1626385181 + 16216 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/mount + /usr/bin + mount + regular + 0 + 0 + 1629099969 + 1622809483 + 1613143287 + 49920 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/ksu + /usr/bin + ksu + regular + 0 + 0 + 1629119685 + 1626254104 + 1626110278 + 236480 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/fusermount3 + /usr/bin + fusermount3 + regular + 0 + 0 + 1629100019 + 1624263163 + 1623764964 + 36912 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + abrt-cli + x86_64 + (none) + 3.fc34 + 2.14.6 + 0:2.14.6-3.fc34 + 1161ae6945719a39 + abrt-cli-0:2.14.6-3.fc34.x86_64 + + + /usr/bin/passwd + /usr/bin + passwd + regular + 0 + 0 + 1629119566 + 1622809560 + 1612029202 + 32712 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/umount + /usr/bin + umount + regular + 0 + 0 + 1629101683 + 1622809483 + 1613143287 + 37560 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/chage + /usr/bin + chage + regular + 0 + 0 + 1629119731 + 1629101608 + 1628497282 + 74208 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/fusermount-glusterfs + /usr/bin + fusermount-glusterfs + regular + 0 + 0 + 1629119674 + 1625775158 + 1624970677 + 36904 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/gpasswd + /usr/bin + gpasswd + regular + 0 + 0 + 1629119731 + 1629101608 + 1628497282 + 78536 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/chfn + /usr/bin + chfn + regular + 0 + 0 + 1629119612 + 1622809621 + 1613143287 + 33488 + true + false + false + true + true + true + false + false + true + false + false + true + false + + + /usr/bin/newgrp + /usr/bin + newgrp + regular + 0 + 0 + 1629119731 + 1629101608 + 1628497282 + 42256 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/sudo + /usr/bin + sudo + regular + 0 + 0 + 1629101475 + 1622809574 + 1611691776 + 185504 + true + false + false + false + false + true + false + false + true + false + false + true + false + + + /usr/bin/fusermount + /usr/bin + fusermount + regular + 0 + 0 + 1629119484 + 1622809518 + 1611643849 + 36904 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/write + /usr/bin + write + regular + 5 + 0 + 1629119571 + 1622809483 + 1613143287 + 25248 + false + true + false + true + true + true + true + false + true + true + false + true + false + + + abrt-addon-kerneloops + x86_64 + (none) + 3.fc34 + 2.14.6 + 0:2.14.6-3.fc34 + 1161ae6945719a39 + abrt-addon-kerneloops-0:2.14.6-3.fc34.x86_64 + + + /usr/bin/crontab + /usr/bin + crontab + regular + 0 + 0 + 1629119627 + 1622809534 + 1617021233 + 53744 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/su + /usr/bin + su + regular + 0 + 0 + 1629119571 + 1622809483 + 1613143287 + 58384 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/pkexec + /usr/bin + pkexec + regular + 0 + 0 + 1629119513 + 1623086118 + 1622723352 + 32648 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /usr/bin/chsh + /usr/bin + chsh + regular + 0 + 0 + 1629119612 + 1622809621 + 1613143287 + 25264 + true + false + false + true + true + true + false + false + true + false + false + true + false + + + /usr/bin/staprun + /usr/bin + staprun + regular + 156 + 0 + 1629119604 + 1622810407 + 1620433322 + 99664 + true + false + false + false + false + true + false + false + true + false + false + false + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin + grub2-set-bootflag + regular + 0 + 0 + 1616081920 + 1616081900 + 1614719005 + 12088 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin + unix_chkpwd + regular + 0 + 0 + 1616081919 + 1616081904 + 1606949172 + 37872 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/sbin + pam_timestamp_check + regular + 0 + 0 + 1616081919 + 1616081904 + 1606949172 + 12352 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/dbus-1 + dbus-daemon-launch-helper + regular + 81 + 0 + 1616081919 + 1616081904 + 1607018850 + 63752 + true + false + false + true + true + true + true + false + true + false + false + false + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/libexec/utempter + utempter + regular + 22 + 0 + 1616081919 + 1616081904 + 1557538847 + 13344 + false + true + false + true + true + true + false + false + true + false + false + true + false + + + abrt-addon-ccpp + x86_64 + (none) + 3.fc34 + 2.14.6 + 0:2.14.6-3.fc34 + 1161ae6945719a39 + abrt-addon-ccpp-0:2.14.6-3.fc34.x86_64 + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + mount + regular + 0 + 0 + 1616081916 + 1616081905 + 1611212671 + 50472 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + umount + regular + 0 + 0 + 1616081916 + 1616081905 + 1611212671 + 33664 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + chage + regular + 0 + 0 + 1616081916 + 1616081903 + 1606872233 + 79648 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + gpasswd + regular + 0 + 0 + 1616081916 + 1616081903 + 1606872233 + 84256 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/newgrp + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + newgrp + regular + 0 + 0 + 1616081916 + 1616081903 + 1606872233 + 43544 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + write + regular + 5 + 0 + 1616081916 + 1616081905 + 1611212671 + 21280 + false + true + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-stream-8-x86_64-bootstrap/root/usr/bin + su + regular + 0 + 0 + 1616081916 + 1616081905 + 1611212671 + 50336 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/grub2-set-bootflag + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin + grub2-set-bootflag + regular + 0 + 0 + 1616082183 + 1616082164 + 1614718321 + 12016 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/unix_chkpwd + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin + unix_chkpwd + regular + 0 + 0 + 1616082183 + 1616082168 + 1592240895 + 37864 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin/pam_timestamp_check + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/sbin + pam_timestamp_check + regular + 0 + 0 + 1616082183 + 1616082168 + 1592240895 + 12320 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + tar + x86_64 + 2 + 1.fc34 + 1.34 + 2:1.34-1.fc34 + 1161ae6945719a39 + tar-2:1.34-1.fc34.x86_64 + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1/dbus-daemon-launch-helper + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/dbus-1 + dbus-daemon-launch-helper + regular + 81 + 0 + 1616082183 + 1616082168 + 1596570686 + 63760 + true + false + false + true + true + true + true + false + true + false + false + false + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter/utempter + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/libexec/utempter + utempter + regular + 22 + 0 + 1616082183 + 1616082168 + 1557538847 + 13344 + false + true + false + true + true + true + false + false + true + false + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/mount + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + mount + regular + 0 + 0 + 1616082179 + 1616082168 + 1595350557 + 50456 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/umount + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + umount + regular + 0 + 0 + 1616082179 + 1616082168 + 1595350557 + 33648 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/chage + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + chage + regular + 0 + 0 + 1616082179 + 1616082167 + 1597266683 + 79648 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/gpasswd + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + gpasswd + regular + 0 + 0 + 1616082179 + 1616082167 + 1597266683 + 84296 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/newgrp + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + newgrp + regular + 0 + 0 + 1616082179 + 1616082167 + 1597266683 + 43560 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/write + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + write + regular + 5 + 0 + 1616082179 + 1616082168 + 1595350557 + 21232 + false + true + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin/su + /var/lib/mock/centos-8-x86_64-bootstrap/root/usr/bin + su + regular + 0 + 0 + 1616082179 + 1616082168 + 1595350557 + 50320 + true + false + false + true + true + true + true + false + true + true + false + true + false + + + /var/lib/snapd/snap/core/10823/usr/sbin/pppd + /var/lib/snapd/snap/core/10823/usr/sbin + pppd + regular + 30 + 0 + 1595516992 + 1595516992 + 1595516992 + 394984 + true + false + false + true + true + true + true + false + true + true + false + false + + + + scap-security-guide + noarch + (none) + 1.fc34 + 0.1.56 + 0:0.1.56-1.fc34 + 1161ae6945719a39 + scap-security-guide-0:0.1.56-1.fc34.noarch + + + /var/lib/snapd/snap/core/10823/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10823/usr/lib/snapd + snap-confine + regular + 0 + 0 + 1612300057 + 1612300057 + 1612300057 + 110656 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10823/usr/lib/openssh + ssh-keysign + regular + 0 + 0 + 1590535059 + 1590535059 + 1590535059 + 428240 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10823/usr/lib/dbus-1.0 + dbus-daemon-launch-helper + regular + 103 + 0 + 1591905986 + 1591905986 + 1591905986 + 42992 + true + false + false + true + true + true + true + false + true + true + false + false + + + + /var/lib/snapd/snap/core/10823/usr/bin/wall + /var/lib/snapd/snap/core/10823/usr/bin + wall + regular + 5 + 0 + 1580135287 + 1580135287 + 1580135287 + 27368 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/sudo + /var/lib/snapd/snap/core/10823/usr/bin + sudo + regular + 0 + 0 + 1611162536 + 1611162536 + 1611162536 + 136808 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10823/usr/bin + ssh-agent + regular + 105 + 0 + 1590535059 + 1590535059 + 1590535059 + 358624 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/passwd + /var/lib/snapd/snap/core/10823/usr/bin + passwd + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 54256 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/newgrp + /var/lib/snapd/snap/core/10823/usr/bin + newgrp + regular + 0 + 0 + 1553515789 + 1553515789 + 1553515789 + 39904 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10823/usr/bin + mail-unlock + regular + 8 + 0 + 1354577870 + 1354577870 + 1354577870 + 14592 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10823/usr/bin + mail-touchlock + regular + 8 + 0 + 1354577870 + 1354577870 + 1354577870 + 14592 + false + true + false + true + true + true + true + false + true + true + false + true + + + + rng-tools + x86_64 + (none) + 2.git.d207e0b6.fc34 + 6.13 + 0:6.13-2.git.d207e0b6.fc34 + 1161ae6945719a39 + rng-tools-0:6.13-2.git.d207e0b6.fc34.x86_64 + + + /var/lib/snapd/snap/core/10823/usr/bin/mail-lock + /var/lib/snapd/snap/core/10823/usr/bin + mail-lock + regular + 8 + 0 + 1354577870 + 1354577870 + 1354577870 + 14592 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/gpasswd + /var/lib/snapd/snap/core/10823/usr/bin + gpasswd + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 75304 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/expiry + /var/lib/snapd/snap/core/10823/usr/bin + expiry + regular + 42 + 0 + 1553515788 + 1553515788 + 1553515788 + 22768 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10823/usr/bin + dotlockfile + regular + 8 + 0 + 1386385702 + 1386385702 + 1386385702 + 14856 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/crontab + /var/lib/snapd/snap/core/10823/usr/bin + crontab + regular + 102 + 0 + 1459893553 + 1459893553 + 1459893553 + 36080 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/chsh + /var/lib/snapd/snap/core/10823/usr/bin + chsh + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 40432 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/chfn + /var/lib/snapd/snap/core/10823/usr/bin + chfn + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 71824 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/usr/bin/chage + /var/lib/snapd/snap/core/10823/usr/bin + chage + regular + 42 + 0 + 1553515788 + 1553515788 + 1553515788 + 62336 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10823/sbin + unix_chkpwd + regular + 42 + 0 + 1601512597 + 1601512597 + 1601512597 + 35600 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10823/sbin + pam_extrausers_chkpwd + regular + 42 + 0 + 1601512597 + 1601512597 + 1601512597 + 35632 + false + true + false + true + true + true + true + false + true + true + false + true + + + + openscap-scanner + x86_64 + 1 + 2.fc34 + 1.3.5 + 1:1.3.5-2.fc34 + 1161ae6945719a39 + openscap-scanner-1:1.3.5-2.fc34.x86_64 + + + /var/lib/snapd/snap/core/10823/bin/umount + /var/lib/snapd/snap/core/10823/bin + umount + regular + 0 + 0 + 1580135287 + 1580135287 + 1580135287 + 27608 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/bin/su + /var/lib/snapd/snap/core/10823/bin + su + regular + 0 + 0 + 1553515789 + 1553515789 + 1553515789 + 40128 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/bin/ping6 + /var/lib/snapd/snap/core/10823/bin + ping6 + regular + 0 + 0 + 1399491947 + 1399491947 + 1399491947 + 44680 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/bin/ping + /var/lib/snapd/snap/core/10823/bin + ping + regular + 0 + 0 + 1399491947 + 1399491947 + 1399491947 + 44168 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10823/bin/mount + /var/lib/snapd/snap/core/10823/bin + mount + regular + 0 + 0 + 1580135287 + 1580135287 + 1580135287 + 40152 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/sbin/pppd + /var/lib/snapd/snap/core/10583/usr/sbin + pppd + regular + 30 + 0 + 1595516992 + 1595516992 + 1595516992 + 394984 + true + false + false + true + true + true + true + false + true + true + false + false + + + + /var/lib/snapd/snap/core/10583/usr/lib/snapd/snap-confine + /var/lib/snapd/snap/core/10583/usr/lib/snapd + snap-confine + regular + 0 + 0 + 1608063387 + 1608063387 + 1608063387 + 110792 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/lib/openssh/ssh-keysign + /var/lib/snapd/snap/core/10583/usr/lib/openssh + ssh-keysign + regular + 0 + 0 + 1590535059 + 1590535059 + 1590535059 + 428240 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0/dbus-daemon-launch-helper + /var/lib/snapd/snap/core/10583/usr/lib/dbus-1.0 + dbus-daemon-launch-helper + regular + 103 + 0 + 1591905986 + 1591905986 + 1591905986 + 42992 + true + false + false + true + true + true + true + false + true + true + false + false + + + + /var/lib/snapd/snap/core/10583/usr/bin/wall + /var/lib/snapd/snap/core/10583/usr/bin + wall + regular + 5 + 0 + 1580135287 + 1580135287 + 1580135287 + 27368 + false + true + false + true + true + true + true + false + true + true + false + true + + + + nss-tools + x86_64 + (none) + 1.fc34 + 3.69.0 + 0:3.69.0-1.fc34 + 1161ae6945719a39 + nss-tools-0:3.69.0-1.fc34.x86_64 + + + /var/lib/snapd/snap/core/10583/usr/bin/sudo + /var/lib/snapd/snap/core/10583/usr/bin + sudo + regular + 0 + 0 + 1580495844 + 1580495844 + 1580495844 + 136808 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/ssh-agent + /var/lib/snapd/snap/core/10583/usr/bin + ssh-agent + regular + 105 + 0 + 1590535059 + 1590535059 + 1590535059 + 358624 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/passwd + /var/lib/snapd/snap/core/10583/usr/bin + passwd + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 54256 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/newgrp + /var/lib/snapd/snap/core/10583/usr/bin + newgrp + regular + 0 + 0 + 1553515789 + 1553515789 + 1553515789 + 39904 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/mail-unlock + /var/lib/snapd/snap/core/10583/usr/bin + mail-unlock + regular + 8 + 0 + 1354577870 + 1354577870 + 1354577870 + 14592 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/mail-touchlock + /var/lib/snapd/snap/core/10583/usr/bin + mail-touchlock + regular + 8 + 0 + 1354577870 + 1354577870 + 1354577870 + 14592 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/mail-lock + /var/lib/snapd/snap/core/10583/usr/bin + mail-lock + regular + 8 + 0 + 1354577870 + 1354577870 + 1354577870 + 14592 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/gpasswd + /var/lib/snapd/snap/core/10583/usr/bin + gpasswd + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 75304 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/expiry + /var/lib/snapd/snap/core/10583/usr/bin + expiry + regular + 42 + 0 + 1553515788 + 1553515788 + 1553515788 + 22768 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/dotlockfile + /var/lib/snapd/snap/core/10583/usr/bin + dotlockfile + regular + 8 + 0 + 1386385702 + 1386385702 + 1386385702 + 14856 + false + true + false + true + true + true + true + false + true + true + false + true + + + + gnutls-utils + x86_64 + (none) + 1.fc34 + 3.7.2 + 0:3.7.2-1.fc34 + 1161ae6945719a39 + gnutls-utils-0:3.7.2-1.fc34.x86_64 + + + /var/lib/snapd/snap/core/10583/usr/bin/crontab + /var/lib/snapd/snap/core/10583/usr/bin + crontab + regular + 102 + 0 + 1459893553 + 1459893553 + 1459893553 + 36080 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/chsh + /var/lib/snapd/snap/core/10583/usr/bin + chsh + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 40432 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/chfn + /var/lib/snapd/snap/core/10583/usr/bin + chfn + regular + 0 + 0 + 1553515788 + 1553515788 + 1553515788 + 71824 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/usr/bin/chage + /var/lib/snapd/snap/core/10583/usr/bin + chage + regular + 42 + 0 + 1553515788 + 1553515788 + 1553515788 + 62336 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/sbin/unix_chkpwd + /var/lib/snapd/snap/core/10583/sbin + unix_chkpwd + regular + 42 + 0 + 1601512597 + 1601512597 + 1601512597 + 35600 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/sbin/pam_extrausers_chkpwd + /var/lib/snapd/snap/core/10583/sbin + pam_extrausers_chkpwd + regular + 42 + 0 + 1601512597 + 1601512597 + 1601512597 + 35632 + false + true + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/bin/umount + /var/lib/snapd/snap/core/10583/bin + umount + regular + 0 + 0 + 1580135287 + 1580135287 + 1580135287 + 27608 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/bin/su + /var/lib/snapd/snap/core/10583/bin + su + regular + 0 + 0 + 1553515789 + 1553515789 + 1553515789 + 40128 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/bin/ping6 + /var/lib/snapd/snap/core/10583/bin + ping6 + regular + 0 + 0 + 1399491947 + 1399491947 + 1399491947 + 44680 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/lib/snapd/snap/core/10583/bin/ping + /var/lib/snapd/snap/core/10583/bin + ping + regular + 0 + 0 + 1399491947 + 1399491947 + 1399491947 + 44168 + true + false + false + true + true + true + true + false + true + true + false + true + + + + binutils + x86_64 + (none) + 4.fc34 + 2.35.2 + 0:2.35.2-4.fc34 + 1161ae6945719a39 + binutils-0:2.35.2-4.fc34.x86_64 + + + /var/lib/snapd/snap/core/10583/bin/mount + /var/lib/snapd/snap/core/10583/bin + mount + regular + 0 + 0 + 1580135287 + 1580135287 + 1580135287 + 40152 + true + false + false + true + true + true + true + false + true + true + false + true + + + + /var/log/audit + + directory + 0 + 0 + 1629119798 + 1629101630 + 1628717227 + 4096 + false + false + false + true + true + true + false + false + false + false + false + false + false + + + /var/log/audit/audit.log.3 + /var/log/audit + audit.log.3 + regular + 0 + 0 + 1619262745 + 1629099981 + 1621606687 + 8388706 + false + false + false + true + false + false + false + false + false + false + false + false + false + + + /var/log/audit/audit.log.1 + /var/log/audit + audit.log.1 + regular + 0 + 0 + 1624285778 + 1629099981 + 1626110967 + 8388734 + false + false + false + true + false + false + false + false + false + false + false + false + false + + + /var/log/audit/audit.log.4 + /var/log/audit + audit.log.4 + regular + 0 + 0 + 1617696607 + 1629099981 + 1619262745 + 8388688 + false + false + false + true + false + false + false + false + false + false + false + false + false + + + /var/log/audit/audit.log + /var/log/audit + audit.log + regular + 0 + 0 + 1626110967 + 1629119793 + 1629119793 + 5212031 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /var/log/audit/audit.log.2 + /var/log/audit + audit.log.2 + regular + 0 + 0 + 1621606687 + 1629099981 + 1624285778 + 8388611 + false + false + false + true + false + false + false + false + false + false + false + false + false + + + /etc/audit/auditd.conf + /etc/audit + auditd.conf + ^[ ]*log_group[ ]+=[ ]+root[ ]*$ + 1 + ^[ ]*log_group[ ]+=[ ]+root[ ]*$ + log_group = root + + + x86_64 + rh-hony + Linux + 5.13.8-200.fc34.x86_64 + #1 SMP Wed Aug 4 19:59:54 UTC 2021 + x86_64 + + + /usr/lib/systemd/system/auditd.service + /usr/lib/systemd/system + auditd.service + ^ExecStartPost=\-\/sbin\/augenrules.*$ + 1 + ^ExecStartPost=\-\/sbin\/augenrules.*$ + ExecStartPost=-/sbin/augenrules --load + + + /etc/crypto-policies/back-ends/krb5.config + /usr/share/crypto-policies/DEFAULT/krb5.txt + + + /boot/grub2/grubenv + /boot/grub2 + grubenv + ^kernelopts=(.*)$ + 1 + ^kernelopts=(.*)$ + kernelopts=root=/dev/mapper/fedora_localhost--live-root ro resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-d6e9ed6a-a261-4e3c-a325-4794ab4551bb rd.lvm.lv=fedora_localhost-live/swap rhgb quiet + root=/dev/mapper/fedora_localhost--live-root ro resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-d6e9ed6a-a261-4e3c-a325-4794ab4551bb rd.lvm.lv=fedora_localhost-live/swap rhgb quiet + + + auditd.service + ActiveState + active + + + audit + x86_64 + (none) + 1.fc34 + 3.0.5 + 0:3.0.5-1.fc34 + 1161ae6945719a39 + audit-0:3.0.5-1.fc34.x86_64 + + + oval:ssg-var_etc_login_defs_umask_as_number:var:1 + 18 + + + /etc/login.defs + /etc + login.defs + ^[\s]*UMASK[\s]+([^#\s]*) + 1 + ^[\s]*UMASK[\s]+([^#\s]*) + UMASK 022 + 022 + + + oval:ssg-var_accounts_user_umask_umask_as_number:var:1 + 23 + + + 102447 + PATH + /usr/sbin:/usr/bin:/sbin:/bin:/root/bin + + + /etc/login.defs + /etc + login.defs + ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:#.*)?$ + 1 + ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:#.*)?$ + CREATE_HOME yes + +# + + + oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 + 51 + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 51 + ^([^:]+):.*$ + systemd-oom:x:975:969:systemd Userspace OOM Killer:/:/sbin/nologin + systemd-oom + + + oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 + /usr/share/crypto-policies/DEFAULT/krb5.txt + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 50 + ^([^:]+):.*$ + clamupdate:x:976:973:Clamav database update user:/var/lib/clamav:/sbin/nologin + clamupdate + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 49 + ^([^:]+):.*$ + pkg-build:x:977:974:lpf local package build user:/var/lib/lpf:/sbin/nologin + pkg-build + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 48 + ^([^:]+):.*$ + jrodak:x:1000:1000:Jan Rodák:/home/jrodak:/bin/bash + jrodak + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 47 + ^([^:]+):.*$ + tcpdump:x:72:72::/:/sbin/nologin + tcpdump + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 46 + ^([^:]+):.*$ + vboxadd:x:978:1::/var/run/vboxadd:/sbin/nologin + vboxadd + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 45 + ^([^:]+):.*$ + sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin + sshd + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 44 + ^([^:]+):.*$ + gnome-initial-setup:x:979:977::/run/gnome-initial-setup/:/sbin/nologin + gnome-initial-setup + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 43 + ^([^:]+):.*$ + gdm:x:42:42::/var/lib/gdm:/sbin/nologin + gdm + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 42 + ^([^:]+):.*$ + flatpak:x:980:978:User for flatpak system helper:/:/sbin/nologin + flatpak + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 41 + ^([^:]+):.*$ + nm-openconnect:x:981:979:NetworkManager user for OpenConnect:/:/sbin/nologin + nm-openconnect + + + /etc/krb5.conf.d/crypto-policies + /usr/share/crypto-policies/DEFAULT/krb5.txt + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 40 + ^([^:]+):.*$ + abrt:x:173:173::/etc/abrt:/sbin/nologin + abrt + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 39 + ^([^:]+):.*$ + nm-openvpn:x:982:981:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin + nm-openvpn + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 38 + ^([^:]+):.*$ + openvpn:x:983:982:OpenVPN:/etc/openvpn:/sbin/nologin + openvpn + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 37 + ^([^:]+):.*$ + rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin + rpcuser + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 36 + ^([^:]+):.*$ + colord:x:984:984:User for colord:/var/lib/colord:/sbin/nologin + colord + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 35 + ^([^:]+):.*$ + apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin + apache + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 34 + ^([^:]+):.*$ + rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin + rpc + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 33 + ^([^:]+):.*$ + radvd:x:75:75:radvd user:/:/sbin/nologin + radvd + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 32 + ^([^:]+):.*$ + saslauth:x:985:76:Saslauthd user:/run/saslauthd:/sbin/nologin + saslauth + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 31 + ^([^:]+):.*$ + geoclue:x:986:986:User for geoclue:/var/lib/geoclue:/sbin/nologin + geoclue + + + openssh-server + x86_64 + (none) + 3.fc34 + 8.6p1 + 0:8.6p1-3.fc34 + 1161ae6945719a39 + openssh-server-0:8.6p1-3.fc34.x86_64 + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 30 + ^([^:]+):.*$ + dnsmasq:x:987:987:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin + dnsmasq + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 29 + ^([^:]+):.*$ + usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin + usbmuxd + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 28 + ^([^:]+):.*$ + unbound:x:993:988:Unbound DNS resolver:/etc/unbound:/sbin/nologin + unbound + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 27 + ^([^:]+):.*$ + chrony:x:994:989::/var/lib/chrony:/sbin/nologin + chrony + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 26 + ^([^:]+):.*$ + pipewire:x:995:990:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin + pipewire + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 25 + ^([^:]+):.*$ + avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin + avahi + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 24 + ^([^:]+):.*$ + systemd-timesync:x:996:991:systemd Time Synchronization:/:/sbin/nologin + systemd-timesync + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 23 + ^([^:]+):.*$ + pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin + pulse + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 22 + ^([^:]+):.*$ + rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin + rtkit + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 21 + ^([^:]+):.*$ + polkitd:x:997:994:User for polkitd:/:/sbin/nologin + polkitd + + + oval:ssg-sshd_required:var:1 + 0 + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 20 + ^([^:]+):.*$ + gluster:x:998:996:GlusterFS daemons:/run/gluster:/sbin/nologin + gluster + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 19 + ^([^:]+):.*$ + qemu:x:107:107:qemu user:/:/sbin/nologin + qemu + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 18 + ^([^:]+):.*$ + tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin + tss + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 17 + ^([^:]+):.*$ + dbus:x:81:81:System message bus:/:/sbin/nologin + dbus + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 16 + ^([^:]+):.*$ + systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin + systemd-resolve + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 15 + ^([^:]+):.*$ + systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin + systemd-network + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 14 + ^([^:]+):.*$ + systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin + systemd-coredump + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 13 + ^([^:]+):.*$ + nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin + nobody + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 12 + ^([^:]+):.*$ + ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin + ftp + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 11 + ^([^:]+):.*$ + games:x:12:100:games:/usr/games:/sbin/nologin + games + + + oval:ssg-var_system_crypto_policy:var:1 + FIPS + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 10 + ^([^:]+):.*$ + operator:x:11:0:operator:/root:/sbin/nologin + operator + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 9 + ^([^:]+):.*$ + mail:x:8:12:mail:/var/spool/mail:/sbin/nologin + mail + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 8 + ^([^:]+):.*$ + halt:x:7:0:halt:/sbin:/sbin/halt + halt + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 7 + ^([^:]+):.*$ + shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown + shutdown + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 6 + ^([^:]+):.*$ + sync:x:5:0:sync:/sbin:/bin/sync + sync + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 5 + ^([^:]+):.*$ + lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin + lp + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 4 + ^([^:]+):.*$ + adm:x:3:4:adm:/var/adm:/sbin/nologin + adm + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 3 + ^([^:]+):.*$ + daemon:x:2:2:daemon:/sbin:/sbin/nologin + daemon + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 2 + ^([^:]+):.*$ + bin:x:1:1:bin:/bin:/sbin/nologin + bin + + + /etc/passwd + /etc + passwd + ^([^:]+):.*$ + 1 + ^([^:]+):.*$ + root:x:0:0:root:/root:/bin/bash + root + + + unix + + + oval:ssg-var_password_pam_unix_rounds:var:1 + 5000 + + + /etc/pam.d/system-auth + /etc/pam.d + system-auth + ^[^#]*\bnullok\b.*$ + 1 + ^[^#]*\bnullok\b.*$ + +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth sufficient pam_fprintd.so +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth [default=1 ignore=ignore success=ok] pam_localuser.so +auth sufficient pam_unix.so nullok try_first_pass +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth sufficient pam_sss.so forward_pass +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only +password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok + + + systemd-oom + x + 975 + 969 + systemd Userspace OOM Killer + / + /sbin/nologin + 0 + + + clamupdate + x + 976 + 973 + Clamav database update user + /var/lib/clamav + /sbin/nologin + 0 + + + pkg-build + x + 977 + 974 + lpf local package build user + /var/lib/lpf + /sbin/nologin + 0 + + + jrodak + x + 1000 + 1000 + Jan Rodák + /home/jrodak + /bin/bash + 1629100017 + + + tcpdump + x + 72 + 72 + + / + /sbin/nologin + 0 + + + vboxadd + x + 978 + 1 + + /var/run/vboxadd + /sbin/nologin + 0 + + + sshd + x + 74 + 74 + Privilege-separated SSH + /var/empty/sshd + /sbin/nologin + 0 + + + gnome-initial-setup + x + 979 + 977 + + /run/gnome-initial-setup/ + /sbin/nologin + 1595292679 + + + /etc/crypto-policies/back-ends/nss.config + /etc/crypto-policies/back-ends + nss.config + regular + 0 + 0 + 1629105434 + 1629101700 + 1629101700 + 447 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + gdm + x + 42 + 42 + + /var/lib/gdm + /sbin/nologin + 1629099988 + + + flatpak + x + 980 + 978 + User for flatpak system helper + / + /sbin/nologin + 0 + + + nm-openconnect + x + 981 + 979 + NetworkManager user for OpenConnect + / + /sbin/nologin + 0 + + + abrt + x + 173 + 173 + + /etc/abrt + /sbin/nologin + 0 + + + nm-openvpn + x + 982 + 981 + Default user for running openvpn spawned by NetworkManager + / + /sbin/nologin + 0 + + + openvpn + x + 983 + 982 + OpenVPN + /etc/openvpn + /sbin/nologin + 0 + + + rpcuser + x + 29 + 29 + RPC Service User + /var/lib/nfs + /sbin/nologin + 0 + + + colord + x + 984 + 984 + User for colord + /var/lib/colord + /sbin/nologin + 0 + + + apache + x + 48 + 48 + Apache + /usr/share/httpd + /sbin/nologin + 0 + + + rpc + x + 32 + 32 + Rpcbind Daemon + /var/lib/rpcbind + /sbin/nologin + 0 + + + /etc/crypto-policies/state/current + /etc/crypto-policies/state + current + regular + 0 + 0 + 1629119796 + 1629101700 + 1629101700 + 8 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + radvd + x + 75 + 75 + radvd user + / + /sbin/nologin + 0 + + + saslauth + x + 985 + 76 + Saslauthd user + /run/saslauthd + /sbin/nologin + 0 + + + geoclue + x + 986 + 986 + User for geoclue + /var/lib/geoclue + /sbin/nologin + 0 + + + dnsmasq + x + 987 + 987 + Dnsmasq DHCP and DNS server + /var/lib/dnsmasq + /usr/sbin/nologin + 0 + + + usbmuxd + x + 113 + 113 + usbmuxd user + / + /sbin/nologin + 0 + + + unbound + x + 993 + 988 + Unbound DNS resolver + /etc/unbound + /sbin/nologin + 0 + + + chrony + x + 994 + 989 + + /var/lib/chrony + /sbin/nologin + 0 + + + pipewire + x + 995 + 990 + PipeWire System Daemon + /var/run/pipewire + /sbin/nologin + 0 + + + avahi + x + 70 + 70 + Avahi mDNS/DNS-SD Stack + /var/run/avahi-daemon + /sbin/nologin + 0 + + + systemd-timesync + x + 996 + 991 + systemd Time Synchronization + / + /sbin/nologin + 0 + + + oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 + 1574949854 + + + pulse + x + 171 + 171 + PulseAudio System Daemon + /var/run/pulse + /sbin/nologin + 0 + + + rtkit + x + 172 + 172 + RealtimeKit + /proc + /sbin/nologin + 0 + + + polkitd + x + 997 + 994 + User for polkitd + / + /sbin/nologin + 0 + + + gluster + x + 998 + 996 + GlusterFS daemons + /run/gluster + /sbin/nologin + 0 + + + qemu + x + 107 + 107 + qemu user + / + /sbin/nologin + 0 + + + tss + x + 59 + 59 + Account used by the trousers package to sandbox the tcsd daemon + /dev/null + /sbin/nologin + 0 + + + dbus + x + 81 + 81 + System message bus + / + /sbin/nologin + 0 + + + systemd-resolve + x + 193 + 193 + systemd Resolver + / + /sbin/nologin + 0 + + + systemd-network + x + 192 + 192 + systemd Network Management + / + /sbin/nologin + 0 + + + systemd-coredump + x + 999 + 997 + systemd Core Dumper + / + /sbin/nologin + 0 + + + /etc/crypto-policies/config + /etc/crypto-policies + config + regular + 0 + 0 + 1629101700 + 1595306746 + 1574949854 + 858 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + nobody + x + 65534 + 65534 + Kernel Overflow User + / + /sbin/nologin + -1 + + + ftp + x + 14 + 50 + FTP User + /var/ftp + /sbin/nologin + 0 + + + games + x + 12 + 100 + games + /usr/games + /sbin/nologin + 0 + + + operator + x + 11 + 0 + operator + /root + /sbin/nologin + 0 + + + mail + x + 8 + 12 + mail + /var/spool/mail + /sbin/nologin + 0 + + + halt + x + 7 + 0 + halt + /sbin + /sbin/halt + 0 + + + shutdown + x + 6 + 0 + shutdown + /sbin + /sbin/shutdown + 0 + + + sync + x + 5 + 0 + sync + /sbin + /bin/sync + 0 + + + lp + x + 4 + 7 + lp + /var/spool/lpd + /sbin/nologin + 0 + + + adm + x + 3 + 4 + adm + /var/adm + /sbin/nologin + 0 + + + /etc/crypto-policies/state/current + /etc/crypto-policies/state + current + ^(?!#)(\S+)$ + 1 + ^(?!#)(\S+)$ + DEFAULT + DEFAULT + + + daemon + x + 2 + 2 + daemon + /sbin + /sbin/nologin + 0 + + + bin + x + 1 + 1 + bin + /bin + /sbin/nologin + 0 + + + root + x + 0 + 0 + root + /root + /bin/bash + 1616080358 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 87 + ^.*:x:([0-9]+): + sgx:x:966: + 966 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 86 + ^.*:x:([0-9]+): + power:x:967: + 967 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 85 + ^.*:x:([0-9]+): + rtlsdr:x:968: + 968 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 84 + ^.*:x:([0-9]+): + systemd-oom:x:969: + 969 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 83 + ^.*:x:([0-9]+): + docker:x:970: + 970 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 82 + ^.*:x:([0-9]+): + ccache:x:971: + 971 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 81 + ^.*:x:([0-9]+): + virusgroup:x:972: + 972 + + + /etc/crypto-policies/config + /etc/crypto-policies + config + ^(?!#)(\S+)$ + 1 + ^(?!#)(\S+)$ + DEFAULT + DEFAULT + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 80 + ^.*:x:([0-9]+): + clamupdate:x:973: + 973 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 79 + ^.*:x:([0-9]+): + pkg-build:x:974: + 974 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 78 + ^.*:x:([0-9]+): + jackuser:x:975: + 975 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 77 + ^.*:x:([0-9]+): + mock:x:135: + 135 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 76 + ^.*:x:([0-9]+): + stapdev:x:158: + 158 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 75 + ^.*:x:([0-9]+): + stapsys:x:157: + 157 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 74 + ^.*:x:([0-9]+): + stapusr:x:156: + 156 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 73 + ^.*:x:([0-9]+): + jrodak:x:1000: + 1000 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 72 + ^.*:x:([0-9]+): + tcpdump:x:72: + 72 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 71 + ^.*:x:([0-9]+): + slocate:x:21: + 21 + + + crypto.fips_enabled + 0 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 70 + ^.*:x:([0-9]+): + vboxsf:x:976: + 976 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 69 + ^.*:x:([0-9]+): + sshd:x:74: + 74 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 68 + ^.*:x:([0-9]+): + gnome-initial-setup:x:977: + 977 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 67 + ^.*:x:([0-9]+): + gdm:x:42: + 42 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 66 + ^.*:x:([0-9]+): + flatpak:x:978: + 978 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 65 + ^.*:x:([0-9]+): + nm-openconnect:x:979: + 979 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 64 + ^.*:x:([0-9]+): + brlapi:x:980: + 980 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 63 + ^.*:x:([0-9]+): + abrt:x:173: + 173 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 62 + ^.*:x:([0-9]+): + nm-openvpn:x:981: + 981 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 61 + ^.*:x:([0-9]+): + openvpn:x:982: + 982 + + + gdm + 1 + 40.1 + 1.fc34 + x86_64 + /var/log/gdm + gdm-1:40.1-1.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + fail + pass + pass + false + false + false + false + false + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 60 + ^.*:x:([0-9]+): + libvirt:x:983: + 983 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 59 + ^.*:x:([0-9]+): + rpcuser:x:29: + 29 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 58 + ^.*:x:([0-9]+): + colord:x:984: + 984 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 57 + ^.*:x:([0-9]+): + apache:x:48: + 48 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 56 + ^.*:x:([0-9]+): + ssh_keys:x:985: + 985 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 55 + ^.*:x:([0-9]+): + rpc:x:32: + 32 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 54 + ^.*:x:([0-9]+): + radvd:x:75: + 75 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 53 + ^.*:x:([0-9]+): + saslauth:x:76: + 76 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 52 + ^.*:x:([0-9]+): + geoclue:x:986: + 986 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 51 + ^.*:x:([0-9]+): + dnsmasq:x:987: + 987 + + + efi-filesystem + (none) + 5 + 2.fc34 + noarch + /boot/efi/EFI + efi-filesystem-0:5-2.fc34.noarch + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 50 + ^.*:x:([0-9]+): + usbmuxd:x:113: + 113 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 49 + ^.*:x:([0-9]+): + unbound:x:988: + 988 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 48 + ^.*:x:([0-9]+): + chrony:x:989: + 989 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 47 + ^.*:x:([0-9]+): + pipewire:x:990: + 990 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 46 + ^.*:x:([0-9]+): + avahi:x:70: + 70 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 45 + ^.*:x:([0-9]+): + systemd-timesync:x:991: + 991 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 44 + ^.*:x:([0-9]+): + pulse:x:171: + 171 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 43 + ^.*:x:([0-9]+): + pulse-rt:x:992: + 992 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 42 + ^.*:x:([0-9]+): + pulse-access:x:993: + 993 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 41 + ^.*:x:([0-9]+): + rtkit:x:172: + 172 + + + texlive-hyphen-base + 9 + svn54763 + 38.fc34 + noarch + /usr/share/texlive/texmf-dist/tex/generic/config/language.dat + texlive-hyphen-base-9:svn54763-38.fc34.noarch + fail + fail + not performed + pass + pass + pass + pass + fail + pass + false + false + false + false + false + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 40 + ^.*:x:([0-9]+): + polkitd:x:994: + 994 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 39 + ^.*:x:([0-9]+): + printadmin:x:995: + 995 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 38 + ^.*:x:([0-9]+): + gluster:x:996: + 996 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 37 + ^.*:x:([0-9]+): + qemu:x:107: + 107 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 36 + ^.*:x:([0-9]+): + dip:x:40: + 40 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 35 + ^.*:x:([0-9]+): + tss:x:59: + 59 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 34 + ^.*:x:([0-9]+): + dbus:x:81: + 81 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 33 + ^.*:x:([0-9]+): + systemd-resolve:x:193: + 193 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 32 + ^.*:x:([0-9]+): + systemd-network:x:192: + 192 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 31 + ^.*:x:([0-9]+): + systemd-coredump:x:997: + 997 + + + mactel-boot + (none) + 0.9 + 24.fc34 + x86_64 + /boot/efi/mach_kernel + mactel-boot-0:0.9-24.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 30 + ^.*:x:([0-9]+): + systemd-journal:x:190: + 190 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 29 + ^.*:x:([0-9]+): + render:x:998: + 998 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 28 + ^.*:x:([0-9]+): + kvm:x:36: + 36 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 27 + ^.*:x:([0-9]+): + input:x:999: + 999 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 26 + ^.*:x:([0-9]+): + utempter:x:35: + 35 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 25 + ^.*:x:([0-9]+): + utmp:x:22: + 22 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 24 + ^.*:x:([0-9]+): + nobody:x:65534: + 65534 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 23 + ^.*:x:([0-9]+): + users:x:100: + 100 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 22 + ^.*:x:([0-9]+): + audio:x:63: + 63 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 21 + ^.*:x:([0-9]+): + lock:x:54: + 54 + + + mactel-boot + (none) + 0.9 + 24.fc34 + x86_64 + /boot/efi/System/Library/CoreServices/SystemVersion.plist + mactel-boot-0:0.9-24.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 20 + ^.*:x:([0-9]+): + ftp:x:50: + 50 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 19 + ^.*:x:([0-9]+): + video:x:39: + 39 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 18 + ^.*:x:([0-9]+): + tape:x:33: + 33 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 17 + ^.*:x:([0-9]+): + games:x:20: + 20 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 16 + ^.*:x:([0-9]+): + floppy:x:19: + 19 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 15 + ^.*:x:([0-9]+): + dialout:x:18: + 18 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 14 + ^.*:x:([0-9]+): + man:x:15: + 15 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 13 + ^.*:x:([0-9]+): + mail:x:12: + 12 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 12 + ^.*:x:([0-9]+): + cdrom:x:11: + 11 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 11 + ^.*:x:([0-9]+): + wheel:x:10: + 10 + + + mactel-boot + (none) + 0.9 + 24.fc34 + x86_64 + /boot/efi/System/Library/CoreServices + mactel-boot-0:0.9-24.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 10 + ^.*:x:([0-9]+): + kmem:x:9: + 9 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 9 + ^.*:x:([0-9]+): + mem:x:8: + 8 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 8 + ^.*:x:([0-9]+): + lp:x:7: + 7 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 7 + ^.*:x:([0-9]+): + disk:x:6: + 6 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 6 + ^.*:x:([0-9]+): + tty:x:5: + 5 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 5 + ^.*:x:([0-9]+): + adm:x:4: + 4 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 4 + ^.*:x:([0-9]+): + sys:x:3: + 3 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 3 + ^.*:x:([0-9]+): + daemon:x:2: + 2 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 2 + ^.*:x:([0-9]+): + bin:x:1: + 1 + + + /etc/group + /etc + group + ^.*:x:([0-9]+): + 1 + ^.*:x:([0-9]+): + root:x:0: + 0 + + + mactel-boot + (none) + 0.9 + 24.fc34 + x86_64 + /boot/efi/System/Library + mactel-boot-0:0.9-24.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 51 + ^.*:[0-9]+:([0-9]+): + systemd-oom:x:975:969: + 969 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 50 + ^.*:[0-9]+:([0-9]+): + clamupdate:x:976:973: + 973 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 49 + ^.*:[0-9]+:([0-9]+): + pkg-build:x:977:974: + 974 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 48 + ^.*:[0-9]+:([0-9]+): + jrodak:x:1000:1000: + 1000 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 47 + ^.*:[0-9]+:([0-9]+): + tcpdump:x:72:72: + 72 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 46 + ^.*:[0-9]+:([0-9]+): + vboxadd:x:978:1: + 1 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 45 + ^.*:[0-9]+:([0-9]+): + sshd:x:74:74: + 74 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 44 + ^.*:[0-9]+:([0-9]+): + gnome-initial-setup:x:979:977: + 977 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 43 + ^.*:[0-9]+:([0-9]+): + gdm:x:42:42: + 42 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 42 + ^.*:[0-9]+:([0-9]+): + flatpak:x:980:978: + 978 + + + mactel-boot + (none) + 0.9 + 24.fc34 + x86_64 + /boot/efi/System + mactel-boot-0:0.9-24.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 41 + ^.*:[0-9]+:([0-9]+): + nm-openconnect:x:981:979: + 979 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 40 + ^.*:[0-9]+:([0-9]+): + abrt:x:173:173: + 173 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 39 + ^.*:[0-9]+:([0-9]+): + nm-openvpn:x:982:981: + 981 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 38 + ^.*:[0-9]+:([0-9]+): + openvpn:x:983:982: + 982 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 37 + ^.*:[0-9]+:([0-9]+): + rpcuser:x:29:29: + 29 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 36 + ^.*:[0-9]+:([0-9]+): + colord:x:984:984: + 984 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 35 + ^.*:[0-9]+:([0-9]+): + apache:x:48:48: + 48 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 34 + ^.*:[0-9]+:([0-9]+): + rpc:x:32:32: + 32 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 33 + ^.*:[0-9]+:([0-9]+): + radvd:x:75:75: + 75 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 32 + ^.*:[0-9]+:([0-9]+): + saslauth:x:985:76: + 76 + + + accountsservice + (none) + 0.6.55 + 6.fc34 + x86_64 + /var/lib/AccountsService/icons + accountsservice-0:0.6.55-6.fc34.x86_64 + pass + fail + not performed + pass + pass + pass + pass + pass + pass + false + false + false + false + false + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 31 + ^.*:[0-9]+:([0-9]+): + geoclue:x:986:986: + 986 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 30 + ^.*:[0-9]+:([0-9]+): + dnsmasq:x:987:987: + 987 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 29 + ^.*:[0-9]+:([0-9]+): + usbmuxd:x:113:113: + 113 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 28 + ^.*:[0-9]+:([0-9]+): + unbound:x:993:988: + 988 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 27 + ^.*:[0-9]+:([0-9]+): + chrony:x:994:989: + 989 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 26 + ^.*:[0-9]+:([0-9]+): + pipewire:x:995:990: + 990 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 25 + ^.*:[0-9]+:([0-9]+): + avahi:x:70:70: + 70 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 24 + ^.*:[0-9]+:([0-9]+): + systemd-timesync:x:996:991: + 991 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 23 + ^.*:[0-9]+:([0-9]+): + pulse:x:171:171: + 171 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 22 + ^.*:[0-9]+:([0-9]+): + rtkit:x:172:172: + 172 + + + texlive-hyphen-base + 9 + svn54763 + 38.fc34 + noarch + /usr/share/texlive/texmf-dist/tex/generic/config/language.def + texlive-hyphen-base-9:svn54763-38.fc34.noarch + fail + pass + fail + pass + pass + pass + pass + fail + pass + false + false + false + false + false + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 21 + ^.*:[0-9]+:([0-9]+): + polkitd:x:997:994: + 994 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 20 + ^.*:[0-9]+:([0-9]+): + gluster:x:998:996: + 996 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 19 + ^.*:[0-9]+:([0-9]+): + qemu:x:107:107: + 107 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 18 + ^.*:[0-9]+:([0-9]+): + tss:x:59:59: + 59 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 17 + ^.*:[0-9]+:([0-9]+): + dbus:x:81:81: + 81 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 16 + ^.*:[0-9]+:([0-9]+): + systemd-resolve:x:193:193: + 193 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 15 + ^.*:[0-9]+:([0-9]+): + systemd-network:x:192:192: + 192 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 14 + ^.*:[0-9]+:([0-9]+): + systemd-coredump:x:999:997: + 997 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 13 + ^.*:[0-9]+:([0-9]+): + nobody:x:65534:65534: + 65534 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 12 + ^.*:[0-9]+:([0-9]+): + ftp:x:14:50: + 50 + + + texlive-hyphen-base + 9 + svn54763 + 38.fc34 + noarch + /usr/share/texlive/texmf-dist/tex/generic/config/language.dat + texlive-hyphen-base-9:svn54763-38.fc34.noarch + fail + fail + fail + pass + pass + pass + pass + fail + pass + false + false + false + false + false + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 11 + ^.*:[0-9]+:([0-9]+): + games:x:12:100: + 100 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 10 + ^.*:[0-9]+:([0-9]+): + operator:x:11:0: + 0 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 9 + ^.*:[0-9]+:([0-9]+): + mail:x:8:12: + 12 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 8 + ^.*:[0-9]+:([0-9]+): + halt:x:7:0: + 0 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 7 + ^.*:[0-9]+:([0-9]+): + shutdown:x:6:0: + 0 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 6 + ^.*:[0-9]+:([0-9]+): + sync:x:5:0: + 0 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 5 + ^.*:[0-9]+:([0-9]+): + lp:x:4:7: + 7 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 4 + ^.*:[0-9]+:([0-9]+): + adm:x:3:4: + 4 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 3 + ^.*:[0-9]+:([0-9]+): + daemon:x:2:2: + 2 + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 2 + ^.*:[0-9]+:([0-9]+): + bin:x:1:1: + 1 + + + /proc/cpuinfo + /proc + cpuinfo + ^flags\s+:\s+(.*)$ + 2 + ^flags\s+:\s+(.*)$ + flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities + fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities + + + /etc/passwd + /etc + passwd + ^.*:[0-9]+:([0-9]+): + 1 + ^.*:[0-9]+:([0-9]+): + root:x:0:0: + 0 + + + /etc/login.defs + /etc + login.defs + .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n + 1 + .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# Currently PASS_MIN_LEN is not supported + +# Currently SU_WHEEL_ONLY is not supported + +# Currently CRACKLIB_DICTPATH is not supported + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 + + UID_MIN 1000 + + + abrt + x86_64 + (none) + 3.fc34 + 2.14.6 + 0:2.14.6-3.fc34 + 1161ae6945719a39 + abrt-0:2.14.6-3.fc34.x86_64 + + + sshd.service + FragmentPath + /usr/lib/systemd/system/sshd.service + + + sshd.service + LoadState + loaded + + + sshd.service + ActiveState + active + + + sssd.service + FragmentPath + /usr/lib/systemd/system/sssd.service + + + sssd.service + LoadState + loaded + + + sssd.service + ActiveState + active + + + sssd-common + x86_64 + (none) + 1.fc34 + 2.5.2 + 0:2.5.2-1.fc34 + 1161ae6945719a39 + sssd-common-0:2.5.2-1.fc34.x86_64 + + + /etc/passwd + /etc + passwd + ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ + 1 + ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ + jrodak:x:1000:1000:Jan Rodák:/home/jrodak:/bin/bash + 1000 + + + sssd-ipa + x86_64 + (none) + 1.fc34 + 2.5.2 + 0:2.5.2-1.fc34 + 1161ae6945719a39 + sssd-ipa-0:2.5.2-1.fc34.x86_64 + + + rngd.service + ActiveState + active + + + openldap-clients + x86_64 + (none) + 5.fc34 + 2.4.57 + 0:2.4.57-5.fc34 + 1161ae6945719a39 + openldap-clients-0:2.4.57-5.fc34.x86_64 + + + /etc/chrony.conf + /etc + chrony.conf + ^[\s]*(?:server|pool)[\s]+.+$ + 1 + ^[\s]*(?:server|pool)[\s]+.+$ + pool 2.fedora.pool.ntp.org iburst + + + /etc/sysconfig/chronyd + /etc/sysconfig + chronyd + regular + 0 + 0 + 1629099981 + 1622809648 + 1620918817 + 46 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /etc/sysconfig/chronyd + /etc/sysconfig + chronyd + ^[ \t]*OPTIONS=(.+?)[ \t]*(?:$|#) + 1 + ^[ \t]*OPTIONS=(.+?)[ \t]*(?:$|#) + OPTIONS="" + "" + + + ntpd.service + ActiveState + inactive + + + chronyd.service + ActiveState + active + + + /etc/login.defs + /etc + login.defs + .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n + 1 + .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# Currently PASS_MIN_LEN is not supported + +# Currently SU_WHEEL_ONLY is not supported + +# Currently CRACKLIB_DICTPATH is not supported + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 201 +SYS_UID_MAX 999 + + SYS_UID_MAX 999 + + + chrony + x86_64 + (none) + 1.fc34 + 4.1 + 0:4.1-1.fc34 + 1161ae6945719a39 + chrony-0:4.1-1.fc34.x86_64 + + + /etc/systemd/system/default.target + /usr/lib/systemd/system/graphical.target + + + xorg-x11-server-common + x86_64 + (none) + 1.fc34 + 1.20.11 + 0:1.20.11-1.fc34 + 1161ae6945719a39 + xorg-x11-server-common-0:1.20.11-1.fc34.x86_64 + + + nfs-server.service + FragmentPath + /usr/lib/systemd/system/nfs-server.service + + + nfs-server.service + LoadState + loaded + + + nfs-server.service + ActiveState + inactive + + + nfs-utils + x86_64 + 1 + 0.fc34 + 2.5.4 + 1:2.5.4-0.fc34 + 1161ae6945719a39 + nfs-utils-1:2.5.4-0.fc34.x86_64 + + + atd.service + FragmentPath + /usr/lib/systemd/system/atd.service + + + atd.service + LoadState + loaded + + + atd.service + ActiveState + active + + + /etc/login.defs + /etc + login.defs + .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n + 1 + .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# Currently PASS_MIN_LEN is not supported + +# Currently SU_WHEEL_ONLY is not supported + +# Currently CRACKLIB_DICTPATH is not supported + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 201 + + SYS_UID_MIN 201 + + + at + x86_64 + (none) + 6.fc34 + 3.1.23 + 0:3.1.23-6.fc34 + 1161ae6945719a39 + at-0:3.1.23-6.fc34.x86_64 + + + crond.service + ActiveState + active + + + cronie + x86_64 + (none) + 1.fc34 + 1.5.7 + 0:1.5.7-1.fc34 + 1161ae6945719a39 + cronie-0:1.5.7-1.fc34.x86_64 + + + /boot/efi/EFI/fedora/grub.cfg + /boot/efi/EFI/fedora + grub.cfg + regular + 0 + 0 + 1629072000 + 1622811747 + 1622811746 + 143 + false + false + false + true + true + true + false + false + false + false + false + false + + + + /boot/efi/EFI/fedora/grub.cfg.rpmsave + /boot/efi/EFI/fedora + grub.cfg.rpmsave + regular + 0 + 0 + 1622764800 + 1622811747 + 1595292510 + 6375 + false + false + false + true + true + true + false + false + false + false + false + false + + + + /boot/efi/EFI/fedora/grub.cfg + /boot/efi/EFI/fedora + grub.cfg + regular + 0 + 0 + 1628035200 + 1622811747 + 1622811746 + 143 + false + false + false + true + true + true + false + false + false + false + false + false + + + + /dev/ng0n1 + /dev + ng0n1 + system_u + object_r + device_t + s0 + s0 + + + /dev/vga_arbiter + /dev + vga_arbiter + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/mem + /dev + mem + character special + 9 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + false + false + false + false + false + false + + + oval:ssg-variable_last_pass_max_days_instance_value:var:1 + 99999 + + + /dev/null + /dev + null + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/port + /dev + port + character special + 9 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + false + false + false + false + false + false + + + /dev/zero + /dev + zero + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/full + /dev + full + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/random + /dev + random + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/urandom + /dev + urandom + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/kmsg + /dev + kmsg + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /dev/tty + /dev + tty + character special + 5 + 0 + 1629113396 + 1629099969 + 1629113392 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/console + /dev + console + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty0 + /dev + tty0 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /etc/login.defs + /etc + login.defs + ^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n + 1 + ^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 + + PASS_MAX_DAYS 99999 + + + /dev/vcs + /dev + vcs + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu + /dev + vcsu + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa + /dev + vcsa + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcs1 + /dev + vcs1 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu1 + /dev + vcsu1 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa1 + /dev + vcsa1 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/tty1 + /dev + tty1 + character special + 5 + 0 + 1629099969 + 1629100020 + 1629099988 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty2 + /dev + tty2 + character special + 5 + 1000 + 1629099969 + 1629100018 + 1629100018 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty3 + /dev + tty3 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty4 + /dev + tty4 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + oval:ssg-variable_last_pass_min_days_instance_value:var:1 + 0 + + + /dev/tty5 + /dev + tty5 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty6 + /dev + tty6 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty7 + /dev + tty7 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty8 + /dev + tty8 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty9 + /dev + tty9 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty10 + /dev + tty10 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty11 + /dev + tty11 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty12 + /dev + tty12 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty13 + /dev + tty13 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty14 + /dev + tty14 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /etc/login.defs + /etc + login.defs + .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n + 1 + .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 + + PASS_MIN_DAYS 0 + + + /dev/tty15 + /dev + tty15 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty16 + /dev + tty16 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty17 + /dev + tty17 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty18 + /dev + tty18 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty19 + /dev + tty19 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty20 + /dev + tty20 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty21 + /dev + tty21 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty22 + /dev + tty22 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty23 + /dev + tty23 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty24 + /dev + tty24 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + oval:ssg-variable_last_pass_warn_age_instance_value:var:1 + 7 + + + /proc/cpuinfo + /proc + cpuinfo + ^flags\s+:\s+(.*)$ + 1 + ^flags\s+:\s+(.*)$ + flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities + fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities + + + /dev/tty25 + /dev + tty25 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty26 + /dev + tty26 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty27 + /dev + tty27 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty28 + /dev + tty28 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty29 + /dev + tty29 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty30 + /dev + tty30 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty31 + /dev + tty31 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty32 + /dev + tty32 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty33 + /dev + tty33 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty34 + /dev + tty34 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /etc/login.defs + /etc + login.defs + .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n + 1 + .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + + + PASS_WARN_AGE 7 + + + /dev/tty35 + /dev + tty35 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty36 + /dev + tty36 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty37 + /dev + tty37 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty38 + /dev + tty38 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty39 + /dev + tty39 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty40 + /dev + tty40 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty41 + /dev + tty41 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty42 + /dev + tty42 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty43 + /dev + tty43 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty44 + /dev + tty44 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /etc/bashrc + /etc + bashrc + ^(.*)$ + 1 + ^(.*)$ + # /etc/bashrc + +# System wide functions and aliases +# Environment stuff goes in /etc/profile + +# It's NOT a good idea to change this file unless you know what you +# are doing. It's much better to create a custom.sh shell script in +# /etc/profile.d/ to make custom changes to your environment, as this +# will prevent the need for merging in future updates. + +# Prevent doublesourcing +if [ -z "$BASHRCSOURCED" ]; then + BASHRCSOURCED="Y" + + # are we an interactive shell? + if [ "$PS1" ]; then + if [ -z "$PROMPT_COMMAND" ]; then + case $TERM in + xterm*|vte*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then + PROMPT_COMMAND="__vte_prompt_command" + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + screen*) + if [ -e /etc/sysconfig/bash-prompt-screen ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen + else + PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + *) + [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default + ;; + esac + fi + # Turn on parallel history + shopt -s histappend + history -a + # Turn on checkwinsize + shopt -s checkwinsize + [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " + # You might want to have e.g. tty in prompt (e.g. more virtual machines) + # and console windows + # If you want to do so, just add e.g. + # if [ "$PS1" ]; then + # PS1="[\u@\h:\l \W]\\$ " + # fi + # to your custom modification shell script in /etc/profile.d/ directory + fi + + if ! shopt -q login_shell ; then # We're not a login shell + # Need to redefine pathmunge, it gets undefined at the end of /etc/profile + pathmunge () { + case ":${PATH}:" in + *:"$1":*) + ;; + *) + if [ "$2" = "after" ] ; then + PATH=$PATH:$1 + else + PATH=$1:$PATH + fi + esac + } + + # By default, we want umask to get set. This sets it for non-login shell. + # Current threshold for system reserved uid/gids is 200 + # You could check uidgid reservation validity in + # /usr/share/doc/setup-*/uidgid file + if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then + umask 002 + else + umask 022 + fi + + SHELL=/bin/bash + # Only display echos from profile.d scripts if we are no login shell + # and interactive - otherwise just process them to set envvars + for i in /etc/profile.d/*.sh; do + if [ -r "$i" ]; then + if [ "$PS1" ]; then + . "$i" + else + . "$i" >/dev/null + fi + fi + done + + unset i + unset -f pathmunge + fi + +fi +# vim:ts=4:sw=4 + + # /etc/bashrc + +# System wide functions and aliases +# Environment stuff goes in /etc/profile + +# It's NOT a good idea to change this file unless you know what you +# are doing. It's much better to create a custom.sh shell script in +# /etc/profile.d/ to make custom changes to your environment, as this +# will prevent the need for merging in future updates. + +# Prevent doublesourcing +if [ -z "$BASHRCSOURCED" ]; then + BASHRCSOURCED="Y" + + # are we an interactive shell? + if [ "$PS1" ]; then + if [ -z "$PROMPT_COMMAND" ]; then + case $TERM in + xterm*|vte*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then + PROMPT_COMMAND="__vte_prompt_command" + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + screen*) + if [ -e /etc/sysconfig/bash-prompt-screen ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen + else + PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' + fi + ;; + *) + [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default + ;; + esac + fi + # Turn on parallel history + shopt -s histappend + history -a + # Turn on checkwinsize + shopt -s checkwinsize + [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " + # You might want to have e.g. tty in prompt (e.g. more virtual machines) + # and console windows + # If you want to do so, just add e.g. + # if [ "$PS1" ]; then + # PS1="[\u@\h:\l \W]\\$ " + # fi + # to your custom modification shell script in /etc/profile.d/ directory + fi + + if ! shopt -q login_shell ; then # We're not a login shell + # Need to redefine pathmunge, it gets undefined at the end of /etc/profile + pathmunge () { + case ":${PATH}:" in + *:"$1":*) + ;; + *) + if [ "$2" = "after" ] ; then + PATH=$PATH:$1 + else + PATH=$1:$PATH + fi + esac + } + + # By default, we want umask to get set. This sets it for non-login shell. + # Current threshold for system reserved uid/gids is 200 + # You could check uidgid reservation validity in + # /usr/share/doc/setup-*/uidgid file + if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then + umask 002 + else + umask 022 + fi + + SHELL=/bin/bash + # Only display echos from profile.d scripts if we are no login shell + # and interactive - otherwise just process them to set envvars + for i in /etc/profile.d/*.sh; do + if [ -r "$i" ]; then + if [ "$PS1" ]; then + . "$i" + else + . "$i" >/dev/null + fi + fi + done + + unset i + unset -f pathmunge + fi + +fi +# vim:ts=4:sw=4 + + + + /dev/tty45 + /dev + tty45 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty46 + /dev + tty46 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty47 + /dev + tty47 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty48 + /dev + tty48 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty49 + /dev + tty49 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty50 + /dev + tty50 + character special + 5 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty51 + /dev + tty51 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty52 + /dev + tty52 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty53 + /dev + tty53 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty54 + /dev + tty54 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /etc/shells + /etc + shells + tmux$ + 1 + tmux$ + tmux + + + /dev/tty55 + /dev + tty55 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty56 + /dev + tty56 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty57 + /dev + tty57 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty58 + /dev + tty58 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty59 + /dev + tty59 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty60 + /dev + tty60 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty61 + /dev + tty61 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty62 + /dev + tty62 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/tty63 + /dev + tty63 + character special + 5 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + false + + + /dev/cpu/0/msr + /dev/cpu/0 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + tmux + x86_64 + (none) + 2.fc34 + 3.1c + 0:3.1c-2.fc34 + 1161ae6945719a39 + tmux-0:3.1c-2.fc34.x86_64 + + + /dev/cpu/0/cpuid + /dev/cpu/0 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/1/msr + /dev/cpu/1 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/1/cpuid + /dev/cpu/1 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/2/msr + /dev/cpu/2 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/2/cpuid + /dev/cpu/2 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/3/msr + /dev/cpu/3 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/3/cpuid + /dev/cpu/3 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/4/msr + /dev/cpu/4 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/4/cpuid + /dev/cpu/4 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/5/msr + /dev/cpu/5 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + openssl-pkcs11 + x86_64 + (none) + 2.fc34 + 0.4.11 + 0:0.4.11-2.fc34 + 1161ae6945719a39 + openssl-pkcs11-0:0.4.11-2.fc34.x86_64 + + + /dev/cpu/5/cpuid + /dev/cpu/5 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/6/msr + /dev/cpu/6 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/6/cpuid + /dev/cpu/6 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/7/msr + /dev/cpu/7 + msr + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu/7/cpuid + /dev/cpu/7 + cpuid + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/snapshot + /dev + snapshot + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/autofs + /dev + autofs + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + false + false + true + false + false + false + + + /dev/ptmx + /dev + ptmx + character special + 5 + 0 + 1629119384 + 1629099969 + 1629119384 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/ttyS0 + /dev + ttyS0 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS1 + /dev + ttyS1 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + pcscd.socket + ActiveState + active + + + /dev/ttyS2 + /dev + ttyS2 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS3 + /dev + ttyS3 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS4 + /dev + ttyS4 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS5 + /dev + ttyS5 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS6 + /dev + ttyS6 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS7 + /dev + ttyS7 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS8 + /dev + ttyS8 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS9 + /dev + ttyS9 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS10 + /dev + ttyS10 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS11 + /dev + ttyS11 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + pcscd.service + ActiveState + active + + + /dev/ttyS12 + /dev + ttyS12 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS13 + /dev + ttyS13 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS14 + /dev + ttyS14 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS15 + /dev + ttyS15 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS16 + /dev + ttyS16 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS17 + /dev + ttyS17 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS18 + /dev + ttyS18 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS19 + /dev + ttyS19 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS20 + /dev + ttyS20 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS21 + /dev + ttyS21 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + pcsc-lite + x86_64 + (none) + 1.fc34 + 1.9.1 + 0:1.9.1-1.fc34 + 1161ae6945719a39 + pcsc-lite-0:1.9.1-1.fc34.x86_64 + + + /dev/ttyS22 + /dev + ttyS22 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS23 + /dev + ttyS23 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS24 + /dev + ttyS24 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS25 + /dev + ttyS25 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS26 + /dev + ttyS26 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS27 + /dev + ttyS27 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS28 + /dev + ttyS28 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS29 + /dev + ttyS29 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS30 + /dev + ttyS30 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ttyS31 + /dev + ttyS31 + character special + 18 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + opensc + x86_64 + (none) + 4.fc34 + 0.21.0 + 0:0.21.0-4.fc34 + 1161ae6945719a39 + opensc-0:0.21.0-4.fc34.x86_64 + + + /dev/raw/rawctl + /dev/raw + rawctl + character special + 6 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/hpet + /dev + hpet + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/nvram + /dev + nvram + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/hwrng + /dev + hwrng + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/tpm0 + /dev + tpm0 + character special + 0 + 59 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/tpmrm0 + /dev + tpmrm0 + character special + 59 + 59 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/dma_heap/system + /dev/dma_heap + system + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/udmabuf + /dev + udmabuf + character special + 36 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/usbmon0 + /dev + usbmon0 + character special + 0 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon1 + /dev + usbmon1 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /etc/default/grub + /etc/default + grub + ^\s*GRUB_DISABLE_RECOVERY=(.*)$ + 1 + ^\s*GRUB_DISABLE_RECOVERY=(.*)$ + GRUB_DISABLE_RECOVERY="true" + "true" + + + /proc/sys/kernel/osrelease + /proc/sys/kernel + osrelease + ^.*\.(.*)$ + 1 + ^.*\.(.*)$ + 5.13.8-200.fc34.x86_64 + x86_64 + + + /dev/bus/usb/001/001 + /dev/bus/usb/001 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/001/002 + /dev/bus/usb/001 + 002 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/002/001 + /dev/bus/usb/002 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/003/001 + /dev/bus/usb/003 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/003/002 + /dev/bus/usb/003 + 002 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/003/003 + /dev/bus/usb/003 + 003 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/003/004 + /dev/bus/usb/003 + 004 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/004/001 + /dev/bus/usb/004 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/005/001 + /dev/bus/usb/005 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/005/002 + /dev/bus/usb/005 + 002 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/006/001 + /dev/bus/usb/006 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/006/002 + /dev/bus/usb/006 + 002 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/007/001 + /dev/bus/usb/007 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/bus/usb/008/001 + /dev/bus/usb/008 + 001 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + false + + + /dev/usbmon2 + /dev + usbmon2 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon3 + /dev + usbmon3 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon4 + /dev + usbmon4 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon5 + /dev + usbmon5 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon6 + /dev + usbmon6 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon7 + /dev + usbmon7 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usbmon8 + /dev + usbmon8 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/input/mice + /dev/input + mice + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event0 + /dev/input + event0 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event1 + /dev/input + event1 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event2 + /dev/input + event2 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event3 + /dev/input + event3 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event4 + /dev/input + event4 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event5 + /dev/input + event5 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event6 + /dev/input + event6 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event7 + /dev/input + event7 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /usr/lib/systemd/system/runlevel1.target + /usr/lib/systemd/system + runlevel1.target + ^Requires=.*rescue.service + 1 + ^Requires=.*rescue.service + Requires=sysinit.target rescue.service + + + /dev/input/mouse2 + /dev/input + mouse2 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event10 + /dev/input + event10 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event11 + /dev/input + event11 + character special + 999 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event12 + /dev/input + event12 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event13 + /dev/input + event13 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event14 + /dev/input + event14 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event15 + /dev/input + event15 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event8 + /dev/input + event8 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event9 + /dev/input + event9 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event16 + /dev/input + event16 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /usr/lib/systemd/system/rescue.service + /usr/lib/systemd/system + rescue.service + ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue + 1 + ^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + + + /dev/input/event17 + /dev/input + event17 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event18 + /dev/input + event18 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event19 + /dev/input + event19 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event20 + /dev/input + event20 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/mouse0 + /dev/input + mouse0 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event21 + /dev/input + event21 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/mouse1 + /dev/input + mouse1 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/input/event22 + /dev/input + event22 + character special + 999 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/rtc0 + /dev + rtc0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/mapper/control + /dev/mapper + control + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /etc/systemd/system/ctrl-alt-del.target + /usr/lib/systemd/system/reboot.target + + + /dev/mcelog + /dev + mcelog + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/cpu_dma_latency + /dev + cpu_dma_latency + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/btrfs-control + /dev + btrfs-control + character special + 6 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/pts/ptmx + /dev/pts + ptmx + character special + 0 + 0 + 1629099952 + 1629099952 + 1629099952 + 0 + false + false + false + false + false + false + false + false + false + false + false + false + + + + /dev/pts/1 + /dev/pts + 1 + character special + 5 + 1000 + 1629119384 + 1629101501 + 1629119384 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + + + + /dev/pts/0 + /dev/pts + 0 + character special + 5 + 1000 + 1629118213 + 1629118213 + 1629118213 + 0 + false + false + false + true + true + false + false + true + false + false + false + false + + + + /dev/fuse + /dev + fuse + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/loop-control + /dev + loop-control + character special + 6 + 0 + 1629099980 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/uhid + /dev + uhid + character special + 0 + 0 + 1629099952 + 1629099952 + 1629099952 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/rfkill + /dev + rfkill + character special + 0 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + true + false + false + true + + + /usr/lib/systemd/system/emergency.target + /usr/lib/systemd/system + emergency.target + ^Requires=.*emergency.service + 1 + ^Requires=.*emergency.service + Requires=emergency.service + + + /dev/hidraw0 + /dev + hidraw0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/hidraw1 + /dev + hidraw1 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/hidraw2 + /dev + hidraw2 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/gpiochip0 + /dev + gpiochip0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/nvme0 + /dev + nvme0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/nvme0n1 + /dev + nvme0n1 + block special + 6 + 0 + 1629120247 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/nvme0n1p1 + /dev + nvme0n1p1 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/nvme0n1p2 + /dev + nvme0n1p2 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/nvme0n1p3 + /dev + nvme0n1p3 + block special + 6 + 0 + 1629101686 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/ng0n1 + /dev + ng0n1 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /usr/lib/systemd/system/emergency.service + /usr/lib/systemd/system + emergency.service + ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency + 1 + ^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + + + /dev/hidraw3 + /dev + hidraw3 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/ptp0 + /dev + ptp0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/dri/renderD128 + /dev/dri + renderD128 + character special + 998 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/dri/card0 + /dev/dri + card0 + character special + 39 + 0 + 1629099969 + 1629100018 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/drm_dp_aux0 + /dev + drm_dp_aux0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/drm_dp_aux1 + /dev + drm_dp_aux1 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/drm_dp_aux2 + /dev + drm_dp_aux2 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/fb0 + /dev + fb0 + character special + 39 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/drm_dp_aux3 + /dev + drm_dp_aux3 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/drm_dp_aux4 + /dev + drm_dp_aux4 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + systemd + x86_64 + (none) + 1.fc34 + 248.7 + 0:248.7-1.fc34 + 1161ae6945719a39 + systemd-0:248.7-1.fc34.x86_64 + + + /dev/drm_dp_aux5 + /dev + drm_dp_aux5 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/usb/hiddev0 + /dev/usb + hiddev0 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/hidraw4 + /dev + hidraw4 + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/dm-0 + /dev + dm-0 + block special + 6 + 0 + 1629101679 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/dm-1 + /dev + dm-1 + block special + 6 + 0 + 1629101679 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/dm-2 + /dev + dm-2 + block special + 6 + 0 + 1629101680 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/zram0 + /dev + zram0 + block special + 6 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/lp0 + /dev + lp0 + character special + 7 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/lp1 + /dev + lp1 + character special + 7 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/lp2 + /dev + lp2 + character special + 7 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /etc/libuser.conf + /etc + libuser.conf + ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ + 1 + ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ + +crypt_style = sha512 + + + /dev/lp3 + /dev + lp3 + character special + 7 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/cuse + /dev + cuse + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/net/tun + /dev/net + tun + character special + 0 + 0 + 1629117339 + 1629117339 + 1629117339 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/ppp + /dev + ppp + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/uinput + /dev + uinput + character special + 0 + 0 + 1629100019 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/vfio/vfio + /dev/vfio + vfio + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/vhci + /dev + vhci + character special + 0 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/vhost-net + /dev + vhost-net + character special + 36 + 0 + 1629117339 + 1629117339 + 1629117339 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/vhost-vsock + /dev + vhost-vsock + character special + 36 + 0 + 1629099969 + 1629099969 + 1629099969 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/snd/timer + /dev/snd + timer + character special + 63 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/seq + /dev/snd + seq + character special + 63 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC1D0p + /dev/snd + pcmC1D0p + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC1D0c + /dev/snd + pcmC1D0c + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/controlC1 + /dev/snd + controlC1 + character special + 63 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC0D0p + /dev/snd + pcmC0D0p + character special + 63 + 0 + 1629099970 + 1629113096 + 1629113096 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC0D0c + /dev/snd + pcmC0D0c + character special + 63 + 0 + 1629099970 + 1629118257 + 1629118257 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC0D3p + /dev/snd + pcmC0D3p + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC0D7p + /dev/snd + pcmC0D7p + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC0D8p + /dev/snd + pcmC0D8p + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/pcmC0D9p + /dev/snd + pcmC0D9p + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /etc/pam.d/system-auth + /etc/pam.d + system-auth + ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ + 1 + ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ + password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok + + + /dev/snd/pcmC0D10p + /dev/snd + pcmC0D10p + character special + 63 + 0 + 1629099970 + 1629100019 + 1629100019 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/hwC0D0 + /dev/snd + hwC0D0 + character special + 63 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/hwC0D2 + /dev/snd + hwC0D2 + character special + 63 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/snd/controlC0 + /dev/snd + controlC0 + character special + 63 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/acpi_thermal_rel + /dev + acpi_thermal_rel + character special + 0 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/mei0 + /dev + mei0 + character special + 0 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/video0 + /dev + video0 + character special + 39 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/video1 + /dev + video1 + character special + 39 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/media0 + /dev + media0 + character special + 39 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/video2 + /dev + video2 + character special + 39 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + oval:ssg-variable_last_encrypt_method_instance_value:var:1 + SHA512 + + + /dev/video3 + /dev + video3 + character special + 39 + 0 + 1629099970 + 1629100018 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + true + + + /dev/media1 + /dev + media1 + character special + 39 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/dm-3 + /dev + dm-3 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/kvm + /dev + kvm + character special + 36 + 0 + 1629118213 + 1629118213 + 1629118213 + 0 + false + false + false + true + true + false + true + true + false + true + true + false + false + + + /dev/watchdog + /dev + watchdog + character special + 0 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/watchdog0 + /dev + watchdog0 + character special + 0 + 0 + 1629099970 + 1629099970 + 1629099970 + 0 + false + false + false + true + true + false + false + false + false + false + false + false + false + + + /dev/loop0 + /dev + loop0 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/loop1 + /dev + loop1 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/loop2 + /dev + loop2 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/loop3 + /dev + loop3 + block special + 6 + 0 + 1629120247 + 1629099980 + 1629099980 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /etc/login.defs + /etc + login.defs + .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n + 1 + .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n + # +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# +# Delay in seconds before being allowed another attempt after a login failure +# Note: When PAM is used, some modules may enforce a minimum delay (e.g. +# pam_unix(8) enforces a 2s delay) +# +#FAIL_DELAY 3 + +# Currently FAILLOG_ENAB is not supported + +# +# Enable display of unknown usernames when login(1) failures are recorded. +# +#LOG_UNKFAIL_ENAB no + +# Currently LOG_OK_LOGINS is not supported + +# Currently LASTLOG_ENAB is not supported + +# +# Limit the highest user ID number for which the lastlog entries should +# be updated. +# +# No LASTLOG_UID_MAX means that there is no user ID limit for writing +# lastlog entries. +# +#LASTLOG_UID_MAX + +# Currently MAIL_CHECK_ENAB is not supported + +# Currently OBSCURE_CHECKS_ENAB is not supported + +# Currently PORTTIME_CHECKS_ENAB is not supported + +# Currently QUOTAS_ENAB is not supported + +# Currently SYSLOG_SU_ENAB is not supported + +# +# Enable "syslog" logging of newgrp(1) and sg(1) activity. +# +#SYSLOG_SG_ENAB yes + +# Currently CONSOLE is not supported + +# Currently SULOG_FILE is not supported + +# Currently MOTD_FILE is not supported + +# Currently ISSUE_FILE is not supported + +# Currently TTYTYPE_FILE is not supported + +# Currently FTMP_FILE is not supported + +# Currently NOLOGINS_FILE is not supported + +# Currently SU_NAME is not supported + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +#HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# Currently ENV_TZ is not supported + +# Currently ENV_HZ is not supported + +# +# The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin +#ENV_PATH PATH=/bin:/usr/bin + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a write(1) program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP as the number of such group +# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and +# set TTYPERM to either 622 or 600. +# +#TTYGROUP tty +#TTYPERM 0600 + +# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported + +# Default initial "umask" value used by login(1) on non-PAM enabled systems. +# Default "umask" value for pam_umask(8) on PAM enabled systems. +# UMASK is also used by useradd(8) and newusers(8) to set the mode for new +# home directories if HOME_MODE is not set. +# 022 is the default value, but 027, or even 077, could be considered +# for increased privacy. There is no One True Answer here: each sysadmin +# must make up their mind. +UMASK 022 + +# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new +# home directories. +# If HOME_MODE is not set, the value of UMASK is used to create the mode. +HOME_MODE 0700 + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# Currently PASS_MIN_LEN is not supported + +# Currently SU_WHEEL_ONLY is not supported + +# Currently CRACKLIB_DICTPATH is not supported + +# +# Min/max values for automatic uid selection in useradd(8) +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +SYS_UID_MIN 201 +SYS_UID_MAX 999 +# Extra per user uids +SUB_UID_MIN 100000 +SUB_UID_MAX 600100000 +SUB_UID_COUNT 65536 + +# +# Min/max values for automatic gid selection in groupadd(8) +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +SYS_GID_MIN 201 +SYS_GID_MAX 999 +# Extra per user group ids +SUB_GID_MIN 100000 +SUB_GID_MAX 600100000 +SUB_GID_COUNT 65536 + +# +# Max number of login(1) retries if password is bad +# +#LOGIN_RETRIES 3 + +# +# Max time in seconds for login(1) +# +#LOGIN_TIMEOUT 60 + +# Currently PASS_CHANGE_TRIES is not supported + +# Currently PASS_ALWAYS_WARN is not supported + +# Currently PASS_MAX_LEN is not supported + +# Currently CHFN_AUTH is not supported + +# +# Which fields may be changed by regular users using chfn(1) - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +#CHFN_RESTRICT rwh + +# Currently LOGIN_STRING is not supported + +# Currently MD5_CRYPT_ENAB is not supported + +# +# If set to MD5, MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# +ENCRYPT_METHOD SHA512 + + + ENCRYPT_METHOD SHA512 + + + /dev/vcs2 + /dev + vcs2 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu2 + /dev + vcsu2 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa2 + /dev + vcsa2 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcs3 + /dev + vcs3 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu3 + /dev + vcsu3 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa3 + /dev + vcsa3 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcs4 + /dev + vcs4 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu4 + /dev + vcsu4 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa4 + /dev + vcsa4 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcs5 + /dev + vcs5 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu5 + /dev + vcsu5 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa5 + /dev + vcsa5 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcs6 + /dev + vcs6 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsu6 + /dev + vcsu6 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /dev/vcsa6 + /dev + vcsa6 + character special + 5 + 0 + 1629099981 + 1629099981 + 1629099981 + 0 + false + false + false + true + true + false + true + true + false + false + false + false + false + + + /etc/selinux/config + /etc/selinux + config + ^SELINUXTYPE=([\w]*)[\s]*$ + 1 + ^SELINUXTYPE=([\w]*)[\s]*$ + SELINUXTYPE=targeted + + + + targeted + + + /proc/1655/arch_status + /proc/1655 + arch_status + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/patch_state + /proc/1655 + patch_state + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/timerslack_ns + /proc/1655 + timerslack_ns + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/timers + /proc/1655 + timers + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/pam.d/system-auth + /etc/pam.d + system-auth + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ + 1 + ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ + +password requisite pam_pwquality.so try_first_pass local_users_only + + + /proc/1655/setgroups + /proc/1655 + setgroups + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/projid_map + /proc/1655 + projid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/gid_map + /proc/1655 + gid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/uid_map + /proc/1655 + uid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/io + /proc/1655 + io + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/coredump_filter + /proc/1655 + coredump_filter + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/sessionid + /proc/1655 + sessionid + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/loginuid + /proc/1655 + loginuid + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/oom_score_adj + /proc/1655 + oom_score_adj + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/oom_adj + /proc/1655 + oom_adj + system_u + system_r + unconfined_service_t + s0 + s0 + + + oval:ssg-var_accounts_passwords_pam_faillock_unlock_time:var:1 + 0 + + + /proc/1655/oom_score + /proc/1655 + oom_score + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/cpu_resctrl_groups + /proc/1655 + cpu_resctrl_groups + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/cgroup + /proc/1655 + cgroup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/cpuset + /proc/1655 + cpuset + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/latency + /proc/1655 + latency + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/schedstat + /proc/1655 + schedstat + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/stack + /proc/1655 + stack + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/wchan + /proc/1655 + wchan + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/pagemap + /proc/1655 + pagemap + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/smaps_rollup + /proc/1655 + smaps_rollup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/pam.d/login + /etc/pam.d + login + ^\s*session\s+required\s+pam_namespace\.so\s*$ + 1 + ^\s*session\s+required\s+pam_namespace\.so\s*$ + session required pam_namespace.so + + + /proc/1655/smaps + /proc/1655 + smaps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/clear_refs + /proc/1655 + clear_refs + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/mountstats + /proc/1655 + mountstats + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/mountinfo + /proc/1655 + mountinfo + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/mounts + /proc/1655 + mounts + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/mem + /proc/1655 + mem + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/numa_maps + /proc/1655 + numa_maps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/maps + /proc/1655 + maps + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/statm + /proc/1655 + statm + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/stat + /proc/1655 + stat + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/cmdline + /proc/1655 + cmdline + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/syscall + /proc/1655 + syscall + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/comm + /proc/1655 + comm + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/timens_offsets + /proc/1655 + timens_offsets + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/autogroup + /proc/1655 + autogroup + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/sched + /proc/1655 + sched + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/limits + /proc/1655 + limits + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/personality + /proc/1655 + personality + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/status + /proc/1655 + status + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1655/auxv + /proc/1655 + auxv + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/motd + /etc + motd + ^(.*)$ + 1 + ^(.*)$ + + + + + /proc/1655/environ + /proc/1655 + environ + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/arch_status + /proc/1343 + arch_status + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/patch_state + /proc/1343 + patch_state + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/timerslack_ns + /proc/1343 + timerslack_ns + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/timers + /proc/1343 + timers + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/setgroups + /proc/1343 + setgroups + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/projid_map + /proc/1343 + projid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/gid_map + /proc/1343 + gid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/uid_map + /proc/1343 + uid_map + system_u + system_r + unconfined_service_t + s0 + s0 + + + /proc/1343/io + /proc/1343 + io + system_u + system_r + unconfined_service_t + s0 + s0 + + + /etc/issue + /etc + issue + ^(.*)$ + 1 + ^(.*)$ + \S +Kernel \r on an \m (\l) + + + \S +Kernel \r on an \m (\l) + + + + + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + 1.3.5 + 5.11 + 2021-08-16T15:12:00 + + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 56], python: 3.9.5 + 5.11 + 2021-05-26T00:00:00 + + + + + UEFI system boot mode check + + Fedora + + + Check if system boot mode is UEFI. + + + + + + + + Non-UEFI system boot mode check + + Fedora + + + Check if System boot mode is non-UEFI. + + + + + + + + SSSD is configured to use LDAP + + Fedora + + + Identification provider is not set to ad within /etc/sssd/sssd.conf + + + + + + + + Test for different architecture than s390x + + Fedora + + Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x + + + + + + + + Check if the scan target is a machine + + Fedora + + + Check for absence of files characterizing container filesystems. + + + + + + + + Check if the scan target is a container + + Fedora + + + Check for presence of files characterizing container filesystems. + + + + + + + + + System uses zIPL + + Fedora + + + Checks if system uses zIPL bootloader. + + + + + + + + Package yum is installed + + Fedora + + + Checks if package yum is installed. + + + + + + + + Package systemd is installed + + Fedora + + + Checks if package systemd is installed. + + + + + + + + Package sudo is installed + + Fedora + + + Checks if package sudo is installed. + + + + + + + + Package sssd-common is installed + + Fedora + + + Checks if package sssd-common is installed. + + + + + + + + Package pam is installed + + Fedora + + + Checks if package pam is installed. + + + + + + + + Package ntp is installed + + Fedora + + + Checks if package ntp is installed. + + + + + + + + Package nss-pam-ldapd is installed + + Fedora + + + Checks if package nss-pam-ldapd is installed. + + + + + + + + Package net-snmp is installed + + Fedora + + + Checks if package net-snmp is installed. + + + + + + + + Package providing /etc/login.defs is installed + + Fedora + + + Checks if package providing /etc/login.defs and is installed. + + + + + + + + Package libuser is installed + + Fedora + + + Checks if package libuser is installed. + + + + + + + + Package grub2 is installed + + Fedora + + + Checks if package grub2-common is installed. + + + + + + + + + + + + Package gdm is installed + + Fedora + + + Checks if package gdm is installed. + + + + + + + + Package chrony is installed + + Fedora + + + Checks if package chrony is installed. + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + The application installed installed on the system is + Red Hat Virtualization 4. + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + The application installed installed on the system is + Red Hat OpenStack Platform 13. + + + + + + + + + Red Hat OpenStack Platform + + Fedora + + + The application installed installed on the system is + Red Hat OpenStack Platform 10. + + + + + + + + + WRLinux 8 + + Fedora + + + The operating system installed on the system is + Wind River Linux 8 + + + + + + + + + WRLinux 1019 + + Fedora + + + The operating system installed on the system is + Wind River Linux 1019 + + + + + + + + + + Ubuntu + + Fedora + + The operating system installed is an Ubuntu System + + + + + + + + + + Ubuntu 2004 + + Fedora + + + The operating system installed on the system is Ubuntu 2004 + + + + + + + + + Ubuntu 1804 + + Fedora + + + The operating system installed on the system is Ubuntu 1804 + + + + + + + + + Ubuntu 1604 + + Fedora + + + The operating system installed on the system is Ubuntu 1604 + + + + + + + + + SUSE Linux Enterprise 15 + + Fedora + + + + The operating system installed on the system is + SUSE Linux Enterprise 15. + + + + + + + + + + + + + SUSE Linux Enterprise 12 + + Fedora + + + + The operating system installed on the system is + SUSE Linux Enterprise 12. + + + + + + + + + + + + + Scientific Linux 7 + + Fedora + + + The operating system installed on the system is + Scientific Linux 7 + + + + + + + + + Scientific Linux 6 + + Fedora + + + The operating system installed on the system is + Scientific Linux 6 + + + + + + + + + Red Hat Virtualization 4 + + Fedora + + + The operating system installed on the system is + Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host. + + + + + + + + + Red Hat Enterprise Linux 9 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 9 + + + + + + + + + + + + + + + Red Hat Enterprise Linux 8 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 8 + + + + + + + + + + + + + + + Red Hat Enterprise Linux 7 + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux 7 + + + + + + + + + + + + + + + + + + Red Hat Enterprise Linux CoreOS + + Fedora + + + The operating system installed on the system is + Red Hat Enterprise Linux CoreOS release 4 + + + + + + + + + + + Installed operating system is part of the Unix family + + Fedora + + The operating system installed on the system is part of the Unix OS family + + + + + + + + openSUSE Leap 42 + + Fedora + + + + + The operating system installed on the system is openSUSE Leap 42. + + + + + + + + + openSUSE Leap 15 + + Fedora + + + The operating system installed on the system is openSUSE Leap 15. + + + + + + + + + openSUSE + + Fedora + + The operating system installed on the system is openSUSE. + + + + + + + + + Oracle Linux 8 + + Fedora + + + The operating system installed on the system is + Oracle Linux 8 + + + + + + + + + + + Oracle Linux 7 + + Fedora + + + The operating system installed on the system is + Oracle Linux 7 + + + + + + + + + + + Installed operating system is Fedora + + Fedora + + + The operating system installed on the system is Fedora + + + + + + + + + + Debian + + Fedora + + The operating system installed is a Debian System + + + + + + + + + Debian 9 + + Fedora + + + The operating system installed on the system is Debian 9 + + + + + + + + + Debian Linux 10 + + Fedora + + + The operating system installed on the system is Debian 10 + + + + + + + + + CentOS 8 + + Fedora + + + The operating system installed on the system is + CentOS 8 + + + + + + + + + + CentOS 7 + + Fedora + + + The operating system installed on the system is + CentOS 7 + + + + + + + + + CentOS 6 + + Fedora + + + The operating system installed on the system is + CentOS 6 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /sys/firmware/opal + + + + /proc/sys/kernel/osrelease + ^.*\.(.*)$ + 1 + + + /run/.containerenv + + + /.dockerenv + + + /etc/sssd/sssd.conf + ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$ + 1 + + + /sys/firmware/efi + + + + /etc/system-release-cpe + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + 1 + + + fedora-release.* + + + /etc/wrlinux-release + ^VERSION=.8\.0.*$ + 1 + + + /etc/os-release + ^VERSION=.10\.19.*$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)"$ + 1 + + + + + /etc/lsb-release + ^DISTRIB_CODENAME=xenial$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=focal$ + 1 + + + /etc/lsb-release + ^DISTRIB_CODENAME=bionic$ + 1 + + + /etc/lsb-release + ^DISTRIB_ID=Ubuntu$ + 1 + + + ntp + + + chrony + + + SLES_SAP-release + + + SLES_SAP-release + + + + sles-release + + + sled-release + + + + sles-release + + + sled-release + + + sl-release + + + sl-release + + + redhat-release-virtualization-host + + + rhosp-release + + + rhosp-release + + + rhvm-appliance + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + + redhat-release + + + + redhat-release + + + redhat-release-workstation + + + + redhat-release-server + + + redhat-release-computenode + + + redhat-release-client + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/os-release + ^VERSION_ID="(\d)\.\d+"$ + 1 + + + openSUSE-release + + + openSUSE-release + + + openSUSE-release + + + oraclelinux-release + + + oraclelinux-release + + + /etc/os-release + ^NAME=.Wind[\s]+River[\s]+Linux.*$ + 1 + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + /etc/lsb-release + + + s390utils-base + + + yum + + + systemd + + + sudo + + + sssd-common + + + pam + + + nss-pam-ldapd + + + net-snmp + + + shadow-utils + + + libuser + + + grub2-common + + + gdm + + + /etc/debian_version + ^9.[0-9]+$ + 1 + + + /etc/debian_version + ^10.[0-9]+$ + 1 + + + /etc/debian_version + + + centos-release + + + centos-release + + + + + 8 + + + unix + + + unix + + + unix + + + ppc64le + + + ^15.*$ + + + ^12.*$ + + + unix + + + ^15.*$ + + + ^15.*$ + + + unix + + + ^12.*$ + + + ^12.*$ + + + ^7.*$ + + + ^6.*$ + + + 0:4.4 + + + ^13.*$ + + + ^10.*$ + + + ^4.*$ + + + 9 + + + 8 + + + 7 + + + unix + + + ^9.*$ + + + unix + + + ^8.*$ + + + ^7.*$ + + + unix + + + ^7.*$ + + + ^7.*$ + + + ^7.*$ + + + rhcos + + + 4 + + + ^s390x$ + + + ^42.*$ + + + ^15.*$ + + + openSUSE-release + + + ^8.*$ + + + ^7.*$ + + + centos + + + ^7.*$ + + + ^6.*$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + combine_ovals.py from SCAP Security Guide + ssg: [0, 1, 56], python: 3.9.5 + 5.11 + 2021-08-16T15:12:00 + + + Fedora + 34 (Workstation Edition) + x86_64 + rh-hony + + + lo + 127.0.0.1 + 00:00:00:00:00:00 + + + enp9s0u1 + 10.43.21.233 + 00:50:B6:8E:49:DA + + + wlp0s20f3 + 10.200.153.45 + 74:D8:3E:1A:0C:3E + + + virbr0 + 192.168.122.1 + 52:54:00:E8:16:C5 + + + lo + ::1 + 00:00:00:00:00:00 + + + enp9s0u1 + 2620:52:0:2b15:76a6:117d:1d6:7579 + 00:50:B6:8E:49:DA + + + enp9s0u1 + fe80::648:e757:55c:e02e + 00:50:B6:8E:49:DA + + + wlp0s20f3 + fe80::3bc2:6468:e470:d804 + 74:D8:3E:1A:0C:3E + + + tap0 + fe80::fc21:e6ff:feca:b1f9 + FE:21:E6:CA:B1:F9 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + yum + noarch + (none) + 1.fc34 + 4.8.0 + 0:4.8.0-1.fc34 + 1161ae6945719a39 + yum-0:4.8.0-1.fc34.noarch + + + fedora-release-common + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-common-0:34-1.noarch + + + fedora-release-identity-workstation + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-identity-workstation-0:34-1.noarch + + + unix + + + gdm + x86_64 + 1 + 1.fc34 + 40.1 + 1:40.1-1.fc34 + 1161ae6945719a39 + gdm-1:40.1-1.fc34.x86_64 + + + sudo + x86_64 + (none) + 1.fc34 + 1.9.5p2 + 0:1.9.5p2-1.fc34 + 1161ae6945719a39 + sudo-0:1.9.5p2-1.fc34.x86_64 + + + /proc/sys/kernel/osrelease + /proc/sys/kernel + osrelease + ^.*\.(.*)$ + 1 + ^.*\.(.*)$ + 5.13.8-200.fc34.x86_64 + x86_64 + + + sssd-common + x86_64 + (none) + 1.fc34 + 2.5.2 + 0:2.5.2-1.fc34 + 1161ae6945719a39 + sssd-common-0:2.5.2-1.fc34.x86_64 + + + chrony + x86_64 + (none) + 1.fc34 + 4.1 + 0:4.1-1.fc34 + 1161ae6945719a39 + chrony-0:4.1-1.fc34.x86_64 + + + /sys/firmware/efi + + directory + 0 + 0 + 1629099952 + 1629099952 + 1629099952 + 0 + false + false + false + true + true + true + true + false + true + true + false + true + + + + x86_64 + rh-hony + Linux + 5.13.8-200.fc34.x86_64 + #1 SMP Wed Aug 4 19:59:54 UTC 2021 + x86_64 + + + grub2-common + noarch + 1 + 2.fc34 + 2.06 + 1:2.06-2.fc34 + 1161ae6945719a39 + grub2-common-1:2.06-2.fc34.noarch + + + libuser + x86_64 + (none) + 4.fc34 + 0.63 + 0:0.63-4.fc34 + 1161ae6945719a39 + libuser-0:0.63-4.fc34.x86_64 + + + /etc/system-release-cpe + /etc + system-release-cpe + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + 1 + ^cpe:\/o:fedoraproject:fedora:[\d]+$ + cpe:/o:fedoraproject:fedora:34 + + + shadow-utils + x86_64 + 2 + 9.fc34 + 4.8.1 + 2:4.8.1-9.fc34 + 1161ae6945719a39 + shadow-utils-2:4.8.1-9.fc34.x86_64 + + + pam + x86_64 + (none) + 6.fc34 + 1.5.1 + 0:1.5.1-6.fc34 + 1161ae6945719a39 + pam-0:1.5.1-6.fc34.x86_64 + + + fedora-release-workstation + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-workstation-0:34-1.noarch + + + + + + + + + + + + + vim + 1.3.5 + 5.10.1 + 2021-08-16T15:11:58 + + + + + + + + + + + + vim + 5.10.1 + 2012-11-22T15:00:00+01:00 + + + + + Wind River Linux 8 + + Wind River Linux 8 + + + The operating system installed on the system is Wind River Linux 8 + + + + + + + + Wind River Linux 1019 + + Wind River Linux 1019 + + + The operating system installed on the system is Wind River Linux 1019 + + + + + + + + Wind River Linux + + Wind River Linux + + + The operating system installed on the system is Wind River Linux + + + + + + + + + Microsoft Windows 8.1 + + Microsoft Windows 8.1 + + + The operating system installed on the system is Microsoft Windows 8.1 + + + + + + + + Microsoft Windows 8 + + Microsoft Windows 8 + + + The operating system installed on the system is Microsoft Windows 8 + + + + + + + + Microsoft Windows 7 + + Microsoft Windows 7 + + + The operating system installed on the system is Microsoft Windows 7 + + + + + + + + Microsoft Windows Server 2016 + + Microsoft Windows Server 2016 + + + The operating system installed on the system is Microsoft Windows Server 2016 + + + + + + + + Microsoft Windows Server 2012 + + Microsoft Windows Server 2012 + + + The operating system installed on the system is Microsoft Windows Server 2012 + + + + + + + + Microsoft Windows Server 2008 + + Microsoft Windows Server 2008 + + + The operating system installed on the system is Microsoft Windows Server 2008 + + + + + + + + Microsoft Windows 10 + + Microsoft Windows 10 + + + The operating system installed on the system is Microsoft Windows 10 + + + + + + + + SUSE Linux Enterprise Server 12 + + SUSE Linux Enterprise Server 12 + + + The operating system installed on the system is SUSE Linux Enterprise Server 12 + + + + + + + + SUSE Linux Enterprise Server 10 + + SUSE Linux Enterprise Server 10 + + + The operating system installed on the system is SUSE Linux Enterprise Server 10 + + + + + + + + SUSE Linux Enterprise Desktop 12 + + SUSE Linux Enterprise Desktop 12 + + + The operating system installed on the system is SUSE Linux Enterprise Desktop 12 + + + + + + + + SUSE Linux Enterprise Desktop 10 + + SUSE Linux Enterprise Desktop 10 + + + The operating system installed on the system is SUSE Linux Enterprise Desktop 10 + + + + + + + + SUSE Linux Enterprise 11 + + SUSE Linux Enterprise Server 11 + SUSE Linux Enterprise Desktop 11 + + + + + The operating system installed on the system is SUSE Linux Enterprise 11. + + + + + + + + + + + + SUSE Linux Enterprise All Platforms + + SUSE Linux Enterprise All Platforms + + + The operating system installed on the system is SUSE Linux Enterprise + + + + + + + + + + + Scientific Linux 7 + + Scientific Linux 7 + + + The operating system installed on the system is Scientific Linux 7 + + + + + + + + Scientific Linux 6 + + Scientific Linux 6 + + + The operating system installed on the system is Scientific Linux 6 + + + + + + + + Scientific Linux 5 + + Scientific Linux 5 + + + The operating system installed on the system is Scientific Linux 5 + + + + + + + + Red Hat Enterprise Linux 8 + + Red Hat Enterprise Linux 8 + + + The operating system installed on the system is Red Hat Enterprise Linux 8 + + + + + + + + Red Hat Enterprise Linux 7 + + Red Hat Enterprise Linux 7 + + + The operating system installed on the system is Red Hat Enterprise Linux 7 + + + + + + + + + + + + Red Hat Enterprise Linux 6 + + Red Hat Enterprise Linux 6 + + + The operating system installed on the system is Red Hat Enterprise Linux 6 + + + + + + + + Red Hat Enterprise Linux 5 + + Red Hat Enterprise Linux 5 + + + The operating system installed on the system is Red Hat Enterprise Linux 5 + + + + + + + + Community Enterprise Operating System 7 + + Community Enterprise Operating System 7 + + + The operating system installed on the system is Community Enterprise Operating System 7 + + + + + + + + Community Enterprise Operating System 6 + + Community Enterprise Operating System 6 + + + The operating system installed on the system is Community Enterprise Operating System 6 + + + + + + + + Community Enterprise Operating System 5 + + Community Enterprise Operating System 5 + + + The operating system installed on the system is Community Enterprise Operating System 5 + + + + + + + + Red Hat Enterprise Linux + + Red Hat Enterprise Linux + + + The operating system installed on the system is Red Hat Enterprise Linux + + + + + + + + openSUSE Leap 42.3 + + openSUSE Leap 42.3 + + + The operating system installed on the system is openSUSE Leap 42.3 + + + + + + + + openSUSE Leap 42.2 + + openSUSE Leap 42.2 + + + + The operating system installed on the system is openSUSE Leap 42.2 + + + + + + + + openSUSE Leap 42.1 + + openSUSE Leap 42.1 + + + + The operating system installed on the system is openSUSE Leap 42.1 + + + + + + + + openSUSE Leap 15.0 + + openSUSE Leap 15.0 + + + The operating system installed on the system is openSUSE Leap 15.0 + + + + + + + + openSUSE 13.2 + + openSUSE 13.2 + + + The operating system installed on the system is openSUSE 13.2 + + + + + + + + openSUSE 13.1 + + openSUSE 13.1 + + + The operating system installed on the system is openSUSE 13.1 + + + + + + + + openSUSE 11.4 + + openSUSE 11.4 + + + The operating system installed on the system is openSUSE 11.4 + + + + + + + + openSUSE All Versions + + openSUSE + + + The operating system installed on the system is openSUSE + + + + + + + + Oracle Linux 8 + + Oracle Linux 8 + + + The operating system installed on the system is Oracle Linux 8 + + + + + + + + Oracle Linux 7 + + Oracle Linux 7 + + + The operating system installed on the system is Oracle Linux 7 + + + + + + + + Oracle Linux 6 + + Oracle Linux 6 + + + The operating system installed on the system is Oracle Linux 6 + + + + + + + + Oracle Linux 5 + + Oracle Linux 5 + + + The operating system installed on the system is Oracle Linux 5 + + + + + + + + Fedora 35 + + Fedora 35 + + + The operating system installed on the system is Fedora 35 + + + + + + + + Fedora 34 + + Fedora 34 + + + The operating system installed on the system is Fedora 34 + + + + + + + + Fedora 33 + + Fedora 33 + + + The operating system installed on the system is Fedora 33 + + + + + + + + Fedora 32 + + Fedora 32 + + + The operating system installed on the system is Fedora 32 + + + + + + + + Fedora 31 + + Fedora 31 + + + The operating system installed on the system is Fedora 31 + + + + + + + + Fedora 30 + + Fedora 30 + + + The operating system installed on the system is Fedora 30 + + + + + + + + Fedora 29 + + Fedora 29 + + + The operating system installed on the system is Fedora 29 + + + + + + + + Fedora 28 + + Fedora 28 + + + The operating system installed on the system is Fedora 28 + + + + + + + + Fedora 27 + + Fedora 27 + + + The operating system installed on the system is Fedora 27 + + + + + + + + Fedora 26 + + Fedora 26 + + + The operating system installed on the system is Fedora 26 + + + + + + + + Fedora 25 + + Fedora 25 + + + The operating system installed on the system is Fedora 25 + + + + + + + + Fedora 24 + + Fedora 24 + + + The operating system installed on the system is Fedora 24 + + + + + + + + Fedora 23 + + Fedora 23 + + + The operating system installed on the system is Fedora 23 + + + + + + + + Fedora 22 + + Fedora 22 + + + The operating system installed on the system is Fedora 22 + + + + + + + + Fedora 21 + + Fedora 21 + + + The operating system installed on the system is Fedora 21 + + + + + + + + Fedora 20 + + Fedora 20 + + + The operating system installed on the system is Fedora 20 + + + + + + + + Fedora 19 + + Fedora 19 + + + The operating system installed on the system is Fedora 19 + + + + + + + + Fedora 18 + + Fedora 18 + + + The operating system installed on the system is Fedora 18 + + + + + + + + Fedora 17 + + Fedora 17 + + + The operating system installed on the system is Fedora 17 + + + + + + + + Fedora 16 + + Fedora 16 + + + The operating system installed on the system is Fedora 16 + + + + + + + + Community Enterprise Operating System 8 + + Community Enterprise Operating System 8 + + + The operating system installed on the system is Community Enterprise Operating System 8 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + /etc + os-release + ^VERSION=.(\d*.\d*) + 1 + + + /etc + wrlinux-release + ^VERSION=.([[:digit:]]*) + 1 + + + /etc/wrlinux-release + + + HKEY_LOCAL_MACHINE + SOFTWARE\Microsoft\Windows NT\CurrentVersion + ProductName + + + + sles-release + + + sled-release + + + /etc/redhat-release + ^Red Hat Enterprise Linux release (\d)\.\d+$ + 1 + + + redhat-release-virtualization-host + + + + + + + + + /etc/redhat-release + + + redhat-release + + + oraclelinux-release + + + openSUSE-release + + + ^fedora-release.* + + + /etc/os-release + ^VERSION_ID="(\d)"$ + 1 + + + /etc/os-release + ^ID="(\w+)"$ + 1 + + + + + 8 + + + 10.19 + + + ^Windows 8\.1.*$ + + + ^Windows 8.*$ + + + ^Windows 7.*$ + + + ^.*2016.*$ + + + ^.*2012.*$ + + + ^.*2008.*$ + + + ^Windows 10.*$ + + + unix + + + ^12($|[^\d]) + + + ^11($|[^\d]) + + + ^10($|[^\d]) + + + ^sles-release + + + ^12($|[^\d]) + + + ^11($|[^\d]) + + + ^10($|[^\d]) + + + ^sled-release + + + ^sl-release + ^7 + + + ^sl-release + ^6 + + + ^sl-release + ^5 + + + 7 + + + ^redhat-release + ^8[^\d] + + + ^redhat-release + ^7[^\d] + + + ^redhat-release + ^6[^\d] + + + ^5[^\d] + + + ^redhat-release + + + ^centos-release + ^7 + + + ^centos-release + ^6 + + + ^centos-release + ^5 + + + ^42.3$ + + + ^42.2$ + + + ^42.1$ + + + ^openSUSE-release + + + ^15.0$ + + + ^13.2$ + + + ^13.1$ + + + ^11.4$ + + + ^oraclelinux-release + ^8 + + + ^oraclelinux-release + ^7 + + + ^oraclelinux-release + ^6 + + + ^oraclelinux-release + ^5 + + + ^35$ + + + ^34$ + + + ^33$ + + + ^32$ + + + ^31$ + + + ^30$ + + + ^29$ + + + ^28$ + + + ^27$ + + + ^26$ + + + ^25$ + + + ^24$ + + + ^23$ + + + ^22$ + + + ^21$ + + + ^20$ + + + ^19$ + + + ^18$ + + + ^17$ + + + ^16$ + + + 8 + + + centos + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + vim + 5.10.1 + 2021-08-16T15:11:58 + + + Fedora + 34 (Workstation Edition) + x86_64 + rh-hony + + + lo + 127.0.0.1 + 00:00:00:00:00:00 + + + enp9s0u1 + 10.43.21.233 + 00:50:B6:8E:49:DA + + + wlp0s20f3 + 10.200.153.45 + 74:D8:3E:1A:0C:3E + + + virbr0 + 192.168.122.1 + 52:54:00:E8:16:C5 + + + lo + ::1 + 00:00:00:00:00:00 + + + enp9s0u1 + 2620:52:0:2b15:76a6:117d:1d6:7579 + 00:50:B6:8E:49:DA + + + enp9s0u1 + fe80::648:e757:55c:e02e + 00:50:B6:8E:49:DA + + + wlp0s20f3 + fe80::3bc2:6468:e470:d804 + 74:D8:3E:1A:0C:3E + + + tap0 + fe80::fc21:e6ff:feca:b1f9 + FE:21:E6:CA:B1:F9 + + + + + + + + + + + + + fedora-release-workstation + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-workstation-0:34-1.noarch + + + fedora-release-common + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-common-0:34-1.noarch + + + fedora-release-identity-workstation + noarch + (none) + 1 + 34 + 0:34-1 + 1161ae6945719a39 + fedora-release-identity-workstation-0:34-1.noarch + + + + + + + + + +